SB2021042204 - Multiple vulnerabilities in NVIDIA GPU Display Driver

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021042204

SB2021042204 - Multiple vulnerabilities in NVIDIA GPU Display Driver

Published: April 22, 2021

Security Bulletin ID SB2021042204
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2021-1074)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in installer. A local user can replace an application resource with malicious files, leading to arbitrary code execution, escalation of privileges, denial of service and information disclosure.


2) Untrusted Pointer Dereference (CVE-ID: CVE-2021-1075)

CWE-ID: CWE-822 - Untrusted Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to untrusted pointer dereference in the kernel mode layer "nvlddmkm.sys" handler for DxgkDdiEscape. A local user can cause a denial of service condition on the target system.


3) Improper access control (CVE-ID: CVE-2021-1076)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the kernel mode layer (nvlddmkm.sys or nvidia.ko). A local user can bypass implemented security restrictions, leading to denial of service, information disclosure or data corruption.


4) Release of invalid pointer or reference (CVE-ID: CVE-2021-1077)

CWE-ID: CWE-763 - Release of invalid pointer or reference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the affected software uses a reference count to manage a resource that is incorrectly updated. A local user can cause a denial of service condition in th target system.


5) NULL pointer dereference (CVE-ID: CVE-2021-1078)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the kernel driver (nvlddmkm.sys). A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References