⚡ TL;DR | Go Straight to the NVIDIA GPU Vulnerabilities Report
NVIDIA released another security bulletin announcing a software security update for NVIDIA GPU Display Driver. The update addresses 25 vulnerabilities with a CVSS base score between 8.8 and 4.4. These affect Geforce, Studio, RTX, Quadro, NVS, and Tesla graphics cards. They may lead to denial of service, information disclosure, escalation of privileges, code execution, or data tampering. For your organization that could mean severe disruptions in processes and sensitive data being compromised.
CVE-2022-34669 and CVE-2022-34671
The 2 most severe vulnerabilities CVE-2022-34669 and CVE-2022-34671 have CVSS base scores of 8.8 and 8.5 respectively. Both are located in the user mode layer. CVE-2022-34669 could allow an unprivileged regular user to access or modify system files or other files that are critical to the application. CVE-2022-34671 could allow an unprivileged regular user to cause an out-of-bounds write. Both of these vulnerabilities could lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. CVE-2022-34671 has a slightly lower severity rating because its complexity makes it harder to exploit.
Other vulnerabilities addressed in this update, though less severe, still have CVSS scores ranging up to 7.8. You can find the full list below. You can also find more information in NVIDIA’s security bulletin.
Update Vulnerable Display Drivers
NVIDIA’s bulletin contains a list of all affected display driver versions and the new driver versions that contain a fix, both for Windows and for Linux. You can find a copy of the lists below. All prior driver versions are still affected by the listed vulnerabilities. You can download and install the software update through the NVIDIA Driver Downloads page.
Discover Vulnerable Devices
Using the list of updated driver versions provided by NVIDIA, our team has created a special Lansweeper report. It will provide a list of all Windows devices in your environment that are affected by the GPU vulnerabilities. This way you have an actionable list of devices that require a display driver update.
NVIDIA December 2022 CVE Codes
| CVE | Description | Base Score |
| CVE-2022-34669 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 8.8 |
| CVE-2022-34671 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 8.5 |
| CVE-2022-34672 | NVIDIA Control Panel for Windows contains a vulnerability where an unauthorized user or an unprivileged regular user can compromise the security of the software by gaining privileges, reading sensitive information, or executing commands. | 7.8 |
| CVE-2022-34670 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. | 7.8 |
| CVE-2022-42263 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure. | 7.1 |
| CVE-2022-34676 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering. | 7.1 |
| CVE-2022-42264 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service. | 7.1 |
| CVE-2022-34674 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak. | 6.8 |
| CVE-2022-34678 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service. | 6.5 |
| CVE-2022-34679 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service. | 5.5 |
| CVE-2022-34680 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. | 5.5 |
| CVE-2022-34677 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering. | 5.5 |
| CVE-2022-34681 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler, where improper input validation of a display-related data structure may lead to denial of service. | 5.5 |
| CVE-2022-34682 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service | 5.5 |
| CVE-2022-34683 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a null-pointer dereference occurs, which may lead to denial of service. | 5.5 |
| CVE-2022-42266 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can cause exposure of sensitive information to an actor that is not explicitly authorized to have access to that information, which may lead to limited information disclosure. | 5.5 |
| CVE-2022-42257 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. | 5.3 |
| CVE-2022-42265 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering. | 5.3 |
| CVE-2022-34684 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure. | 5.3 |
| CVE-2022-42254 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure. | 5.3 |
| CVE-2022-42258 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure. | 5.3 |
| CVE-2022-42255 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering. | 5.3 |
| CVE-2022-42256 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering. | 5.3 |
| CVE-20223-4673 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering. | 4.4 |
| CVE-2022-42259 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service. | 4.4 |
