NVIDIA has released patches to correct 16 vulnerabilities in its graphics drivers and vGPU software for Windows and Linux systems, most of which are high severity flaws that can be exploited to escalate privileges, tamper with data, obtain sensitive data, or conduct denial of service attacks.
NVIDIA’s GPUs are popular with gamers due to being optimized for high-performance gaming. The vulnerabilities are in the drivers and software that connect operating systems to the graphics hardware. The most serious flaw, CVE-2021-1051, is rated 8.4 out of 10 for severity and is a flaw in the kernel mode layer handler (nvlddmkm.sys) for DxgkDdiEscape for the NVIDIA GPU Display Driver for Windows. The flaw could be exploited in a denial of service attack and for escalation of privileges.
Another vulnerability, tracked as CVE-2021-1052 and rated 7.8 out of 10 for severity, affects both the Windows and Linux versions of the same driver and can be exploited to allow user-mode clients to access legacy privileged APIs, which could lead to denial of service, escalation of privileges, and information disclosure.
A further 4 vulnerabilities (CVE-2021-1053, CVE-2021-1054, and CVE-2021-1055) have severity ratings ranging from 5.3 to 6.6 and also affect the kernel mode layer handler for DxgkDdiEscape and can lead to denial of service and information disclosure. The Linux version of the Display Driver also has a vulnerability (CVE-2021-1056) in the kernel mode layer (nvidia.ko) that could lead to denial of service attack and escalation of privileges that has been given a medium severity rating of 5.3.
10 vulnerabilities have been corrected in the NVIDIA vGPU manager and NVIDIA vGPU software, 9 of which have a 7.8 high severity rating with one given a medium severity rating of 5.5.
The high severity flaws are tracked as CVE‑2021‑1057, CVE‑2021‑1058, CVE‑2021‑1059, CVE‑2021‑1060, CVE‑2021‑1061, CVE‑2021‑1062, CVE‑2021‑1063, CVE‑2021‑1064, CVE‑2021‑1065 and affect either the guest kernel mode driver, the vGPU plugin, or both. Exploitation could result in integrity and confidentiality loss, tampering of data, denial of service, or information disclosure. The medium severity flaw CVE-2021-1066 could result in denial of service.
The updated software was released for download on January 7, 2020 and is available via the NVIDIA Driver Downloads page, with the vGPU software update available through the NVIDIA Licensing Portal.