CVE-2022-34673

Vulnerability

The vulnerability resides in the kernel mode layer (nvidia.ko) of the NVIDIA GPU Display Driver for Linux. An out-of-bounds array access can be triggered, affecting driver versions prior to the fixed releases. The exact conditions required to reach the vulnerable code path are not detailed in the available references, but the flaw exists in the kernel module. [1]

Exploitation

An attacker would need to have local access to the system and the ability to interact with the NVIDIA driver, likely through standard graphics API calls or by loading a crafted GPU command stream. The out-of-bounds access can be exploited without special privileges beyond normal user access to the GPU device. The specific sequence of steps is not publicly documented. [1]

Impact

Successful exploitation could lead to denial of service (system crash or hang), information disclosure (leakage of kernel memory), or data tampering (corruption of kernel data structures). The impact is limited to the kernel context, potentially allowing an attacker to escalate privileges or cause system instability. [1]

Mitigation

NVIDIA has released fixed driver versions. For Gentoo Linux, users should upgrade to >=x11-drivers/nvidia-drivers-470.182.03:0/470, >=515.105.01:0/515, >=525.105.17:0/525, or >=530.41.03:0/530 depending on their driver branch. No workaround is available. [1]