Nvidia security flaws could used to commit denial of service attacks on Windows PCs

Five security flaws in Nvidia GPU drivers leave PCs open to privilege escalation and denial of service attacks

Security flaws in the drivers of Nvidia graphics cards could expose users' Windows PCs to privilege escalation and denial of service attacks.

The five security flaws, which range from ‘medium' to ‘high' in severity, according to Nvidia, have been found in older driver software. Other problems include the exposure of data and allowing specifically crafted malicious shaders to crash a GPU's input texture array to cause 'out of bounds access' to the array.

All the flaws affect the Nvidia Windows GPU display driver. Nvidia has advised users to update as soon as possible, although it may take days before Nvidia is able to push out the updated drivers.

GeForce cards on Windows 10 machines are affected if they are using the R430 build and are running drivers prior to 431.60. Quadro and NVS GPUs with the R430 build are affected if they are running drivers prior to 431.70, while GPUs with the R418 build are affected if they are running patches older than 426.00; all cards with the R400 build, as are R390 builds running drivers prior to 392.56.

Tesla GPUs are affected too, as indeed are all graphics accelerators with the R418 build.

Patches that plug the flaws are available now for all cards except the Tesla R418 versions and the Quadro and NVS with the R400 build; drivers for those will come out on 12th August and 19th August, respectively.

Nvidia said fixes might also be pushed put by GPU hardware makers: "Your computer hardware vendor may provide you with Windows driver version 431.23, 425.85, or 412.39 which also contain the security update."

While it is unlikely that these flaws would be exploited in the wild, the sophistication of state threat actors, combined with the fact that Nvidia accounts for around 75 per cent of the discrete graphics card market, means that it's wise for users to update their drivers, just in case.