NVIDIA update fixes three vulnerabilities in GPU Display Driver

Graphics chip manufacturer NVIDIA last week released a security software update for its GPU Display Driver, fixing three vulnerabilities that, if left untreated, could result in denial of service, escalation of privileges, code execution or information disclosure.

The most serious of the three bugs is CVE-2019-5675, a high-severity flaw in the kernel mode layer handler for the "DxgkDdiEscape" function. According to a May 9 NVIDIA security bulletin, "The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes, which may lead to denial of service, escalation of privileges, or information disclosure."

A second bug, CVE-2019-5676, exposes NVIDIA software products to potential DLL preloading attacks dur to a lack of path or signature validation when loading Windows system DLLs. Such an attack can result in an escalation of privileges through code execution. The flaw was reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, Łukasz 'zaeek', Yasin Soliman, Marius Mihai and Stefan Kanthak.

NVIDIA also patched a medium-level vulnerability in the kernel model layer handler for DeviceIoControl, "where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial of service," the security bulletin states.

Products affected by one of more of these vulnerabilities include the following Windows-based products:

In addition to NVIDIA's newly updated software versions, Windows driver versions 430.23, 425.25 and 422.02 provided by computer hardware vendors also include the security update, the company notes in its bulletin.