High-Risk GPU Driver Vulnerabilities That Permit Code Execution and Data Theft Are Fixed by NVIDIA

Eight flaws in NVIDIA’s virtual GPU software and GPU drivers that impact Linux and Windows computers have been fixed with urgent security fixes. The January 16 update fixes a number of security holes that might allow local attackers to run malicious code, steal information, or bring down compromised systems. Among the patches, two high-severity vulnerabilities stand out. The first (CVE-2024-0150) is a GPU display driver buffer overflow that may compromise the system by exposing information and interfering with data. A hacked guest system may cause memory corruption in the virtual GPU Manager, which might result in code execution and system takeover. This is the second significant problem (CVE-2024-0146). Users need to update to either version 539.19 (R535 branch) or 553.62 (R550 branch) for Windows computers. Installing version 550.144.03 or 535.230.02 is required for Linux users, depending on the driver branch.

The RTX, Quadro, NVS, and Tesla product lines from NVIDIA are all updated. There are additional hazards for enterprise environments that use NVIDIA’s virtualization technologies. A vulnerability known as CVE-2024-53881 gives guest systems the ability to initiate interrupt storms against host computers, which could result in system-wide disruptions. Users using virtual GPU software must update to version 17.5 (550.144.02) or 16.9 (535.230.02) in order to fix these security flaws. Remote exploitation is unlikely because the vulnerabilities explicitly target systems to which attackers have local access. These vulnerabilities, however, present a serious security concern in virtualized situations where several users share GPU resources. While enterprise vGPU users should get fixes via the NVIDIA Licensing Portal, system administrators can download the security updates via NVIDIA’s Driver Downloads page. NVIDIA advises installing these updates on all impacted computers very away.