Nvidia Patches High-Risk Flaws In Windows Drivers

Nvidia has issued patches for high-severity security bugs in its graphics driver for Windows and its GeForce Experience software in the latest incident to affect gaming-equipped PCs.

The bugs can allow attacks ranging from code execution to escalation of privilege or denial of service, but can only be directly exploited by attackers with local access.

They could, however, also be exploited remotely by tricking users into clicking on a malicious attachment, for instance.

Three of the high-severity bugs affect Nvidia’s Windows GPU Display Driver, a graphics card driver used in PCs aimed at gamers.

Kernel mode

All three of the issues, designated CVE‑2019‑5690, CVE‑2019‑5691 and CVE‑2019‑5692, affect the driver’s kernel mode layer handler.

The layer handler for the DxgkDdiEscape interface runs in kernel mode, which is reserved for the operating system’s most trusted components.

The issues involve the handler’s failure to validate the size of an input buffer, dereferencing a NULL pointer and using untrusted input when calculating an array index.

The bugs could lead to an escapation of privileges or denial of service.  The driver is also affected by another six medium-severity flaws.

Nvidia said those affected should update to the latest driver version, but said in its advisory that Windows drivers for some products would not be available until 18 November.

GeForce Experience

GeForce Experience, a utility that works with the GeForce GTX graphics card, is affected by another high-severity bug that takes effect when GameStream is enabled.

The GameStream feature allows users to stream games to smart TVs or tablets.

An attacker with local access could exploit the flaw to load Intel graphics driver dynamic link libraries (DLLs) to the application without validating their path or signature, Nvidia said.

The attack could allow an attacker to execute malicious code, escalate privileges or steal information.

GeForce Experience is also affected by two medium-severity bugs.

Windows users can update to version 3.20.1 of the application, which fixes the issues, Nvidia said.

In September of this year Nvidia fixed three other serious flaws in its Windows drivers that could have allowed local code execution, as well as another two that were given medium-severity ratings and allowed denial of service or escalation of privileges.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago