Don't want to see articles from a certain category? When logged in, go to your User Settings and adjust your feed in the Content Preferences section where you can block tags!
We do often include affiliate links to earn us some pennies. See more here.

NVIDIA puts out Security Bulletin for various driver issues

By - | Views: 33,122

NVIDIA today put out an official Security Bulletin, noting multiple flaws found in their Windows and Linux drivers. The good news is that drivers are already out that fix the problems, which I'll detail below.

Here's all those that affect Linux, brace yourself, there's quite a few of them:

CVE‑2022‑34670 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.

CVE‑2022‑42263 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.

CVE‑2022‑34676 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.

CVE‑2022‑42264 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.

CVE‑2022‑34674 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.

CVE‑2022‑34678 - NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.

CVE‑2022‑34679 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.

CVE‑2022‑34680 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.

CVE‑2022‑34677 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.

CVE‑2022‑34682 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.

CVE‑2022‑42257 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.

CVE‑2022‑42265 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.

CVE‑2022‑34684 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.

CVE‑2022‑42254 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.

CVE‑2022‑42258 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.

CVE‑2022‑42255 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

CVE‑2022‑42256 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.

CVE‑2022‑34673 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

CVE‑2022‑42259 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.

There's also a few for NVIDIA VGPU and they affect Tesla too. There's also some that only affect Windows, this isn't a Linux-specific thing but a lot of them are just in their Linux drivers.

As mentioned, the good news is that drivers are already out that solve them. For GeForce users you want minimum driver versions 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. For RTX, Quadro or NVS you want a minimum driver version of 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. To put it very simply, if you're not using the very latest NVIDIA drivers in whatever series — update now, all previous versions are vulnerable to the drivers released on November 22nd.

Going by the bulletin page, the issues were public on November 28 but they've seemingly only just actually put out the security bulletin email.

Article taken from GamingOnLinux.com.
Tags: Drivers, Misc, NVIDIA
9 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
The comments on this article are closed.
24 comments
Page: 1/3»
  Go to:

dpanter Dec 2, 2022
Yikes.
fireplace Dec 2, 2022
This is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)


Last edited by fireplace on 2 December 2022 at 7:03 pm UTC
Liam Dawe Dec 2, 2022
Quoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)
I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.
dibz Dec 2, 2022
Quoting: dpanterYikes.

Security issues are hardly uncommon for stuff like this, Linux users just tend to pay more attention. Kudos for Liam mentioning driver versions, not sure if NVIDIA did too or not. Usually stuff like this is when I have to explain to people what backports are and why their systems are okay.
fireplace Dec 2, 2022
Quoting: Liam Dawe
Quoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)
I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.

The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.


Last edited by fireplace on 2 December 2022 at 7:19 pm UTC
Liam Dawe Dec 2, 2022
Quoting: fireplace
Quoting: Liam Dawe
Quoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)
I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.

The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.
I really don't know what you're trying to get at. The security bulletin is clear about all prior versions to those listed in the article released on November 22nd as being vulnerable.
fireplace Dec 2, 2022
Quoting: Liam Dawe
Quoting: fireplace
Quoting: Liam Dawe
Quoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)
I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.

The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.
I really don't know what you're trying to get at. The security bulletin is clear about all prior versions to those listed in the article released on November 22nd as being vulnerable.

What I'm trying to say is that all updates are of equal importance. This one isn't somehow special as nvidia probably addressed those privately even if it says that this latest one is the one with all the fixes.


Last edited by fireplace on 2 December 2022 at 7:29 pm UTC
Liam Dawe Dec 2, 2022
I don't think anyone is arguing against updates being important :)
denyasis Dec 2, 2022
Glad they put this information out.
For less technically competent people, like me, how likely are these vulnerabilities to be exploited?

I know there is some degree of difference in how realistic these can be, but nevertheless, I totally agree it's important to update.
Terrace Dec 2, 2022
The Pop_os guys update the Nvidia drivers very slowly, whats the best way to manually update one time to a version that has these fixes and then let Pop_os go back to updating once they surpass this version?


Last edited by Terrace on 2 December 2022 at 9:06 pm UTC
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.