High-flying Nvidia took care of some routine business on June 6 when it reported three high-severity bugs in its GPU Display Driver and another two high-severity bugs in Nvidia’s vGPU software.
In a security bulletin to customers, Nvidia said an exploit of the GPU Display Driver bugs could lead to a combination or all of the following: remote code execution, denial-of-service attacks, escalation of privileges, information disclosure, and data tampering.
The high-severity flaws are tracked as CVE-2024-0090, CVE-2024-0089, and CVE-2024-0091. Two other medium-severity flaws were assigned the following CVEs: CVE-2924-0093 (information disclosure) and CVE-2024-0092 (denial-of-service).
One of the high-severity bugs in NVIDIA vGPU software for Linux — CVE-2024-0099 — contains a vulnerability in the Virtual GPU Manager, where the guest OS could cause a buffer overrun in the host. Nvidia said a successful exploit of this vulnerability could lead to information disclosure, data tampering, escalation of privileges, and denial-of-service.
The other high-severity flaw in the vGPU software — CVE-2024-0084 — has a flaw where the guest OS could execute privileged operations. Nvidia said a successful exploit of this vulnerability could also lead to information disclosure, data tampering, escalation of privileges, and denial of service.
Kevin Surace, chair at Token, said while GPUs and other hardware drivers often get patched, NVIDIA is much higher profile after news that it overtook Apple as the second most valuable U.S. company, and its GPUs are at the core of training and inference for AI.
“Some of the patches are more serious now based on market conditions and broad usage versus when they were just for graphics,” said Surace. “I would expect many more issues found in drivers in the coming months and years.”
Casey Ellis, founder and chief strategy officer at Bugcrowd, added that security teams need to consider patching these Nvidia bugs. Ellis said CVE‑2024‑0090 raises concerns given its versatility to an attacker, the fact that it affects both Windows and Linux, and the ubiquity of Nvidia GPUs in the overall attack surface.
“I wouldn't be surprised to see it included in attack tooling in the not-too-distant future,” said Ellis. “The rise of GenAI has driven a lot of adoption and drawn a lot of attention to Nvidia over the past few years, and that kind of attention invariably attracts security research, both the good kind that finds vulnerabilities like these and offers the information and priority needed for a fix to be created, as well as the malicious kind.”