NVIDIA and Arm Urge Customers to Patch Bugs


NVIDIA and Arm have urged customers to upgrade their products after revealing a series of new vulnerabilities.

Arm announced an actively exploited zero-day vulnerability in its Mali GPU Kernel Driver which allows “improper GPU memory processing operations.”

Listed as CVE-2024-4610, the vulnerability impacts all versions of its Bifrost and Valhall drivers, from r34p0 to r40p0.

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” the advisory noted. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue.”

Read more on chip-level vulnerabilities: Critical Vulnerability Found in Motorola’s Unisoc Chips

Meanwhile, a new NVIDIA security bulletin for June revealed 10 new high and medium-severity vulnerabilities in its GPU Display Driver and VGPU software products.

Security experts highlighted CVE‑2024‑0090 as potentially the most serious. The out-of-bounds write bug could lead to code execution, denial of service, escalation of privileges, information disclosure and data tampering, NVIDIA said.

“CVE‑2024‑0090 is concerning given its versatility to an attacker, the fact that it affects both Windows and Linux, and the ubiquity of Nvidia GPUs in the overall attack surface,” argued Bugcrowd founder, Casey Ellis. “I wouldn’t be surprised to see it included in attack tooling in the not-too-distant future.”

John Bambenek, president of Bambenek Consulting, also urged caution.

“Judging from the CVSS scores, it doesn’t seem that NVIDIA believes remote execution of these vulnerabilities is possible,” he argued.

“The concern here is that sometimes device drivers can be overlooked as part of the patching process, especially when not part of the OS patch process. Therefore, special effort may be needed to find these vulnerable systems and patch them, which will likely require a reboot.”

Image credit: Ascannio / Shutterstock.com



Source link