Mon | Jun 10, 2024 | 11:03 AM PDT

Nvidia has released a major security update to address multiple high-severity vulnerabilities in its GPU drivers and virtual GPU (vGPU) software. The flaws, if left unpatched, could enable threat actors to execute arbitrary code, access sensitive data, escalate privileges, and cause denial-of-service conditions on affected systems.

The most severe vulnerability, tracked as CVE-2024-0090, is an out-of-bounds write issue affecting both Windows and Linux GPU drivers. A successful exploit could lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

"CVE-2024-0090 is concerning given its versatility to an attacker, the fact that it affects both Windows and Linux, and the ubiquity of Nvidia GPUs in the overall attack surface," said Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd. "I wouldn't be surprised to see it included in attack tooling in the not-too-distant future."

Other high-risk vulnerabilities patched in the update include CVE-2024-0089, which allows code execution and data tampering on Windows drivers, and CVE-2024-0091, an untrusted pointer dereference flaw that could lead to denial of service and information disclosure across Windows and Linux.

Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, emphasized the urgency of applying these patches: "Unpatched systems are vulnerable to data breaches, operational disruptions, and other security incidents.... Applying Nvidia's patches is crucial to prevent exploits, protect sensitive information, maintain system integrity, and ensure service availability."

The updates also address several vulnerabilities in Nvidia's vGPU software, including high-severity flaws like CVE-2024-0099 and CVE-2024-0084, which could enable privilege escalation, data tampering, and denial of service in virtualized environments.

While remote code execution (RCE) may not be immediately possible based on the CVSS scores, John Bambenek, President at Bambenek Consulting, cautioned that "special effort may be needed to find these vulnerable systems and patch them, which will likely require a reboot."

As Nvidia's role in powering emerging technologies like generative AI grows, so does the scrutiny of its products from security researchers and malicious actors alike. "The rise of GenAI has driven a lot of adoption and drawn a lot of attention to Nvidia over the past few years, and that kind of attention invariably attracts security research, both the good kind and the malicious kind," Ellis noted.

Cybersecurity experts unanimously recommend applying these critical Nvidia security updates promptly to mitigate the risks posed by these vulnerabilities. Proactive security measures, including timely patching and robust security practices, are essential to safeguarding systems and data in an increasingly complex threat landscape.

Follow SecureWorld News for more stories related to cybersecurity.