NVIDIA has released three graphics fixes for gaps in the GPU display driver, which may result in data disclosure and denial of service (DoS) on affected Windows machines.
The most serious flaw is CVE-2019-5675 can be exploited to launch DoS attacks that can paralyze the system as well as give attackers an escalation of privileges and disclosure of system information.
Another disadvantage is CVE-2019-5676 in the driver installation program and has also been classified with a high degree of risk. The program improperly loads the Windows DLL dynamic link libraries without validating their path or signing them. This may enable the DLL load attack already in which the attacker controls the DLL lookup path and places a malicious copy of it in this directory, which increases the privilege by executing the code.
The last drawback is CVE-2019-5677 which can lead to DoS. This bug is also present in the driver’s nvlddmkm.sys kernel mode layer handler for the DeviceIoControl interface. The program in this component reads from the buffer using mechanisms to access the buffer, such as indexes or cursors that point to memory locations after the target buffer, which may lead to denial of service.
NVIDIA encourage les utilisateurs à mettre à jour leur pilote car il existe actuellement des correctifs pour différentes versions de GeForce et Tesla.