Multiple vulnerabilities in NVIDIA GPU Display Driver
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2021-1074 CVE-2021-1075 CVE-2021-1076 CVE-2021-1077 CVE-2021-1078 |
| CWE-ID | CWE-284 CWE-822 CWE-763 CWE-476 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
R390 Hardware solutions / Drivers R465 Hardware solutions / Drivers R418 Hardware solutions / Drivers R460 Hardware solutions / Drivers R450 Hardware solutions / Drivers |
| Vendor |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU52486
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1074
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in installer. A local user can replace an application resource with malicious files, leading to arbitrary code execution, escalation of privileges, denial of service and information disclosure.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR390: before 392.65
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5172
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Untrusted Pointer Dereference
EUVDB-ID: #VU52487
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1075
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to untrusted pointer dereference in the kernel mode layer "nvlddmkm.sys" handler for DxgkDdiEscape. A local user can cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR390: before 392.65
R465: before 466.11
R418: before 427.33
R460: before 462.31
R450: before 452.96
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5172
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU52488
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1076
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the kernel mode layer (nvlddmkm.sys or nvidia.ko). A local user can bypass implemented security restrictions, leading to denial of service, information disclosure or data corruption.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR465: before 466.11
R418: before 427.33
R460: before 462.31
R450: before 460.73.01
R390: before 450.119.03
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5172
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Release of invalid pointer or reference
EUVDB-ID: #VU52489
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1077
CWE-ID:
CWE-763 - Release of invalid pointer or reference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software uses a reference count to manage a resource that is incorrectly updated. A local user can cause a denial of service condition in th target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR460: before 462.31
R450: before 460.73.01
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5172
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU52490
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1078
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the kernel driver (nvlddmkm.sys). A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsR465: before 466.11
R418: before 427.33
R460: before 462.31
R450: before 452.96
R390: before 392.65
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5172
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
