Security

Subscribe

Product Info

NVIDIA Product Security

NVIDIA takes security concerns seriously and works to quickly evaluate and address them. Once a security concern is reported, NVIDIA commits the appropriate resources to analyze, validate and provide corrective actions to address the issue. NVIDIA works with the security intelligence community to ensure product related vulnerabilities and corrective actions are appropriately disclosed.

Subscribe to RSS

Notifying NVIDIA of security concerns


NVIDIA product and service related security concerns can be reported here. All submissions are monitored by NVIDIA product security teams and if follow-up communications are necessary, you will be contacted by one of our security specialists.

PLEASE NOTE: Product technical support is not available here. For technical support of NVIDIA products, please visit our NVIDIA Support Website.


Security Notifications


This list includes brief descriptions of potential security vulnerabilities. These issues are resolved by updating to the latest NVIDIA drivers.

Brief Originally Posted Last Updated
CVE-2016-2556: Kernel driver escape can allow access to restricted functionality
This issue can lead to increased risk of malicious code access to privileged resources. The vulnerability could be exploited to cause potential escalation of privilege which could allow access to private information or cause denial of service to system resources.
3/21/2016 3/21/2016
CVE-2016-2557: Kernel driver escape privileged memory access
This issue can lead to increased risk of malicious code access to privileged resources. The vulnerability could be exploited to cause the access of uninitialized or out of bounds memory leading to information disclosure, crashes or denial of service, and potential escalation of privilege.
3/21/2016 3/21/2016
CVE-2016-2558: Kernel driver escape allows untrusted pointer
This issue can lead to increased risk of malicious code access to privileged resources. The vulnerability could be exploited to cause the access of uninitialized or out of bounds memory leading to information disclosure, crashes or denial of service, and potential escalation of privilege.
3/21/2016 3/21/2016
Google Android Stagefright Multimedia Vulnerabilities
The Google Android operating system’s multimedia engine, known as Stagefright (or libstagefright), is affected by several vulnerabilities that may enable a remote attacker to cause a denial of service or execute arbitrary code with elevated permissions.
11/20/2015 11/20/2015
CVE-2015-7866: NVIDIA CONTROL PANEL UNQUOTED PATH
The NVIDIA control panel on Windows is affected by an unquoted path vulnerability allowing a local attacker to gain elevated privileges.
11/18/2015 11/18/2015
CVE-2015-7865: STEREOSCOPIC 3D DRIVER SERVICE ARBITRARY RUN KEY CREATION
The 3D Vision service nvSCPAPISvr.exe creates a named pipe that can allow elevation of privilege. In Windows Domain environments, it is also possible to exploit the vulnerability if the attacker has a valid user account on one domain-joined machine.
11/18/2015 11/18/2015
CVE-2015-7869: Unsanitized User Mode Input
This advisory relates to a security vulnerability in the NVAPI support layer of NVIDIA GPU graphics drivers. This report also details an advisory regarding integer overflow issues in the underlying kernel mode driver.
11/18/2015 11/18/2015
MICROSOFT DETOURS SECURITY UPDATE
A bug in the Detours implementation has the potential to reduce the effectiveness of some operating system security features.
NVIDIA is re-releasing an updated Detours library with current builds to resolve the issue and bring NVIDIA systems up to date with the latest Microsoft Detours patch level.
11/18/2015 11/18/2015
CVE-2015-5053: GPU mappings of third-party device IO memory
The vulnerability could be exploited to cause the GPU to access the third-party device IO memory past the de-allocation phase. This can cause a denial of service (clogging the device with invalid requests), or be used to access privileged IO space of the third-party device.
11/09/2015 11/09/2015
CVE-2015-5950 Memory corruption due to an unsanitized pointer in the NVIDIA display driver
A vulnerability has been found in the NVIDIA driver that could be used to allow a local, non-privileged user to corrupt kernel memory. This could be used to gain local root privileges.
09/25/2015 09/25/2015
CVE-2015-3625: Privilege Escalation via Unsanitized Pointer Dereference in NVIDIA FreeBSD Kernel Driver
The NVIDIA GPU kernel-level driver for FreeBSD does not properly sanitize pointers from user space before dereferencing them.
06/19/2015 06/19/2015
CVE-2015-1170: Windows Privilege Impersonation Check
The NVIDIA Display Driver's kernel administrator check improperly validates local client impersonation levels in some cases.
03/02/2015 03/02/2015
CVE-2014-5332: TEGRA LINUX KERNEL NVMAP VULNERABILITY
A momentary use-after-free vulnerability in the NVMap component allows a fixed single bit to clear data in a recycled memory structure. To take advantage of this vulnerability, an attacker needs to exploit the race condition that exists between the conversion of the FD to a handle structure pointer (one point in time) and the ref count increment of the handle structure (another point in time), and force the handle memory structure to be recycled in a kernel process where the fixed bit can be leveraged for exploit.
01/15/2015 01/15/2015
CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098)
The GLX indirect rendering support supplied on NVIDIA products is subject to the recently disclosed X.Org vulnerabilities (CVE-2014-8093, CVE-2014-8098) as well as internally identified vulnerabilities (CVE-2014-8298).
12/09/2014 12/11/2014
CVE-2014-0224: GameStream OpenSSL Vulnerability
The OpenSSL library included in the GameStream components of GeForce Experience prior to 2.1.1 and SHIELD Hub prior to 3.2.18713345 are subject to the recently disclosed OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224). As a result, an attacker who successfully exploited this vulnerability could potentially steal confidential GameStream session data, including the user password, as well as modify session data.
09/09/2014 09/09/2014
CVE-2014-0160: Gamestream OpenSSL Vulnerability
The OpenSSL library included in the GameStream component of GeForce Experience 2.0.0 is subject to the recently disclosed Heartbleed vulnerability. As a result, an attacker who successfully exploited this vulnerability could from another computer read the GameStream service process memory, and potentially steal confidential GameStream session data, including the user password, or decrypt future GameStream sessions.
04/29/2014 04/29/2014
CVE-2013-5987: Unprivileged GPU access Vulnerability
An NVIDIA graphics driver bug allows unprivileged user-mode software to access the GPU inappropriately. An attacker who successfully exploited this vulnerability could take control of an affected system.
12/2/2013 12/2/2013
CVE-2013-0131: NVIDIA UNIX GPU Driver ARGB Cursor Buffer Overflow in "NoScanout" Mode.
When the NVIDIA driver for the X Window System is operated in "NoScanout"
mode, and an X client installs an ARGB cursor that is larger than the expected size (64x64 or 256x256, depending on the driver version), the driver will overflow a buffer. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Because the X server runs as setuid root in many configurations, an attacker could potentially use this vulnerability in those configurations to gain root privileges.
4/2/2013 4/2/2013
CVE-2013-0109 NVIDIA Display Driver Service Vulnerability
Due to an issue identified with the NVIDIA driver, a malicious actor could – by forcing exceptions and overwriting memory – potentially escalate privileges to gain administrative control of a system. The vulnerability is associated with the NVIDIA Display Driver service, and affects NVIDIA drivers for Windows operating systems (Windows XP/Windows Vista/Windows 7/Windows 8 - 32 & 64-bit) starting with the Release 173 drivers.
2/22/2013 2/22/2013
CVE-2013-0110 NVIDIA Stereoscopic 3D Driver Service Vulnerability
NVIDIA has verified an issue with the NVIDIA Stereoscopic 3D Driver Service (nvSCPAPISvr.exe), which could allow a malicious actor to potentially escalate privileges locally by inserting an executable file in the path of the affected service. The specific issue identified was that the service used an unquoted service path, containing at least one whitespace.
2/22/2013 2/22/2013
CVE-2013-0111 NVIDIA Update Service Daemon Vulnerability
NVIDIA has verified an issue with the NVIDIA Update Service Daemon (daemonu.exe), which could allow a malicious actor to potentially escalate privileges locally by inserting an executable file in the path of the affected service. The specific issue identified was that the service used an unquoted service path, containing at least one whitespace.
2/22/2013 2/22/2013
CVE-2012-4225 NVIDIA UNIX graphics driver Vulnerability
NVIDIA UNIX graphics drivers before 295.71 and before 304.32 allows local users to write to arbitrary physical memory locations and gain privileges by modifying the VGA window using /dev/nvidia0.
8/2/2012 2/20/2013
Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver
This vulnerability makes it possible for an attacker who has read and write access to the GPU device nodes to reconfigure GPUs to gain access to arbitrary system memory.
4/4/2012 8/6/2012
CVE-2006-5379 NVIDIA UNIX graphics driver Vulnerability
The accelerated rendering functionality of NVIDIA Binary Graphics Driver (binary blob driver) For Linux v8774 and v8762 allows local and remote attackers to execute arbitrary code via a large width value in a font glyph, which can be used to overwrite arbitrary memory locations.
10/18/2006 2/20/2013