Heap overflow in control device ioctl

Vulnerability

A heap buffer overflow exists in the device control ioctl (NV_ESC_CARD_INFO) of the Nvidia Linux graphics driver. The minimum size of the ioctl buffer is not checked, causing the driver to write 50 bytes per device to a kernel heap buffer that is allocated based on the user-supplied input size. With a 1-byte input buffer, this results in a 49-byte overflow. The vulnerability affects driver versions prior to 295.53 [1].

Exploitation

Local access to the Nvidia device file (e.g., /dev/nvidia0) is required. An attacker sends a crafted ioctl call with a small buffer (e.g., 1 byte), triggering the overflow into adjacent heap memory. No additional authentication or race condition is needed for this specific overflow, though the bug report also notes a separate race condition [1].

Impact

Successful exploitation allows an attacker to overflow kernel heap memory by up to 49 bytes, potentially corrupting kernel data structures and leading to arbitrary code execution with kernel privileges. This can result in full system compromise (privilege escalation, denial of service).

Mitigation

The issue is fixed in Nvidia driver version 295.53, released on [date not specified in reference]. Users should upgrade to this version or later. No other workaround is mentioned in the available references; restricting access to the graphics device may limit exposure [1].