Skip to content

Nvidia patches 5 GPU vulnerabilities in driver update

  • by
  • 2 min read

GPU manufacturing giant Nvidia has released driver updates to address three high-severity and two medium-severity security flaws. Rolling out as versions R555, R550, R535, and R470, these drivers fix flaws that could allow users to remotely run malicious code, access or extract data, or even cause a Denial-of-Service (DoS) attack locally on Windows and Linux PCs.

The high-severity flaws include CVE-2024-0091, CVE-2024-0090, and CVE-2024-0089 (all rated 7.8 on the CVSS scale). All three flaws allow for several exploitation options, letting attackers run free with arbitrary code execution, DoS attacks, data access/extractions, and privilege escalation attacks.

The medium-severity flaws, CVE-2024-0092 and CVE-2024-0093, are both rated 6.5 on the CVSS scale. CVE‑2024‑0093 is a bug in Nvidia’s GPU software for Linux that allows information disclosure if exploited. CVE‑2024‑0092 affects the Nvidia GPU driver on both Windows and Linux and is caused by an improper check or improper handling of exception conditions, leading to a DoS attack if exploited.

Additionally, Nvidia’s advisory details five additional bugs in the Nvidia VGPU software fixed in the update. These include two high-severity vulnerabilities, CVE‑2024‑0099 and CVE‑2024‑0084, and three medium-severity vulnerabilities — CVE‑2024‑0094, CVE‑2024‑0086, and CVE‑2024‑0085.

Similar to the bugs above, these vulnerabilities affect Nvidia’s vGPU software for virtual machines on Windows and Linux systems. If exploited, attackers can run DoS attacks, extract, access, or tamper with data, as well as escalate privileges on the target machine.

A complete breakdown of the vulnerabilities and affected Nvidia software versions has been provided in the advisory. On Windows 11, GeForce users using driver versions prior to 475.06 are vulnerable, with Studio users being vulnerable on versions prior to 555.99. The Linux driver branch is more adversely affected, with all users advised to update their respective Nvidia programs as soon as possible.

In the News: Microsoft caves to public pressure; Disables Recall by default

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>