Nvidia warns of a serious bug in GeForce Experience – but there’s a fix
Nvidia has rushed out a fix for a vulnerability in its Nvidia GeForce Experience (GFE) software that could allow local attackers carry out code execution attacks.
The flaw, tracked as CVE‑2020‑5964, could also allow hackers with access to an unpatched machine to trigger a denial of service (DoS) state and access privileged information.
The medium-rated vulnerability impacts all versions of the Nvidia GFE, the company’s companion software for GeForce GTX graphics card that keeps drivers up to date and automatically optimizes game settings, installed on Windows machines prior to version 3.20.4.
“Nvidia Windows GPU Display Driver, all versions, contains a vulnerability in the service host component, in which the application resources integrity check may be missed,” Team Green warns. “Such an attack may lead to code execution, denial of service or information disclosure.”
To stay protected, Nvidia recommends that users accept automatic updates or manually install the latest version of the GeForce Experience software from the Nvidia downloads page.
“Earlier software branch releases that support this product are also affected,” Nvidia adds. “If you are using an earlier branch release, upgrade to the latest branch release.”
Nvidia has published a second security advisory related to a Linux-based bug in the JetPack SDK that can can lead to escalation of privilege attacks. The bug, CVE‑2020‑5974, has been given an even more alarming 8.8 severity rating.
To protect against this bug, Nvidia recommends you download and install the latest NVIDIA JetPack SDK from Nvidia DevZone.
News of these vulnerabilities comes just weeks after Nvidia patched a number of security vulnerabilities in its GPU Display and CUDA drivers as well as its Virtual GPU Manager software.