Security flaws found in Nvidia GeForce GPUs

Original Article ↗ Hacker News Discussion ↗

Scope and nature of the vulnerability

  • Flaws are in Nvidia’s GPU display drivers (Windows and Linux), not the physical GPUs.
  • Main bulletin notes privilege escalation and potential for code execution, DoS, info disclosure, and data tampering.
  • Some issues require a “privileged attacker” (on Linux possibly users in the video group or similar elevated context), plus a separate set of Windows-only bugs exploitable by unprivileged users.
  • Several commenters think the biggest concern is multi-user systems, virtualization hosts, and malware already on a machine using the driver to escalate.

Driver versions and update mechanisms

  • Updated Windows “Game Ready” driver: 566.03 (released 22/10/2024).
  • Linux fixes are in 565.57.01, 550.127.05, and 535.216.01.
  • Nvidia’s site still promotes an older “Studio” driver (565.90) as stable; the hotfix is only in 566.x and later, creating a choice between “tested but vulnerable” and “patched but less-tested.”
  • Some OEMs distribute an intermediate 565.92, but it’s not generally exposed on Nvidia’s public driver page.
  • Windows Update Nvidia drivers are reported to be years out of date and treated as fallback only; users typically must update manually, via GeForce Experience, the new Nvidia App, or third‑party tools like NVCleanInstall.

Risk assessment and exploitation paths

  • One view: for a single-user machine not already compromised, risk is low; the main worry is privilege escalation from already-running code, especially on shared or virtualized systems.
  • Others argue browser- or game-driven attack surface matters because WebGL/WebGPU and multiplayer games execute complex, often untrusted code paths that touch GPU drivers.
  • It’s unclear from the discussion whether these specific CVEs are practically exploitable from the browser, though some suspect user‑mode buffer bugs might be.

Linux, open drivers, and distributions

  • Debian marks the issue as “low priority” for Bookworm; no updated non-free packages yet.
  • The free (nouveau) driver is said not to be affected.
  • Some express frustration with Nvidia’s proprietary DKMS model and Nvidia’s historical Linux driver quality.

Broader themes: GPUs, browsers, and security posture

  • Concerns about GPU monoculture and weak security culture in GPU vendors.
  • Extensive debate about WebGPU/WebGL and whether browsers should expose powerful hardware and networking APIs versus staying more locked down.
  • Qubes OS is mentioned as an example of taking GPU isolation to the extreme by (largely) avoiding GPU access in untrusted VMs.