Just this month, Nvidia posted a security bulletin on its site alerting consumers that GPUs in its GeForce, Quadro, and Tesla product lines were all affected by serious vulnerabilities. The vulnerabilities range in severity, but get as dangerous as local code execution and privilege escalation, and can be found in all versions of numerous driver tracks that the company provides for its hardware.
Notably, this includes the R430 line that powers the GeForce GPUs. While Nvidia has since issued new patched versions of all of its GeForce and many of its Quadro drivers, patches for some of its Quadro and Tesla drivers have not been released, and in some cases won’t be ready for two weeks.
The revelation of these substantial security flaws comes at an exceptionally awkward time for the GPU manufacturer, as it has just released its GeForce RTX Super line of graphics cards to capitalize on the post-E3 gaming excitement. Considering that concern for local privilege escalation vulnerabilities is often taken less seriously than more menacing remote code execution vulnerabilities due to the comparatively limited attack vector, gamers may not think to download and install a patch to their freshly purchased RTX Super GPU.
These security holes also coincide with a recent disappointing showing against AMD. After AMD successfully tricked Nvidia into sabotaging its own RTX Super release with a less-than-competitive price point, marketing gleaming new GPUs with high-severity vulnerabilities right out of the gate surely feels like getting salt in its wound.
One saving grace for Nvidia is that some hardware manufacturers may bundle the driver update as part of larger system updates, but users should definitely not count on this.
As things currently stand, a local code execution bug combined with a privilege execution bug can leave unpatched devices open to physical attacks in which a malicious actor gains physical access to a device to give themselves administrator privileges and run arbitrary code. This kind of attack is not out of the question, as many of the devices containing vulnerable Nvidia graphics cards are used by creatives who may or may not have robust security models, or may be using publicly accessible devices like those in libraries or gaming lounges. Regardless, any consumer with affected hardware should download and run the patch installers Nvidia has provided (or will soon provide, for those that are not yet available) as soon as possible.