CVE-2022-42255

Vulnerability

CVE-2022-42255 is an out-of-bounds array access vulnerability in the kernel mode layer (nvidia.ko) of the NVIDIA GPU Display Driver for Linux. This occurs in the nvidia.ko module, which is loaded when using NVIDIA graphics hardware. The affected versions include drivers for NVIDIA GPU products across multiple branches (470, 515, 525, and 530 series). [1]

Exploitation

An attacker with local access to the system can trigger the out-of-bounds array access by crafting specific inputs or operations that cause the kernel module to access an array element outside its bounds. No special privileges are required beyond the ability to interact with the NVIDIA driver through the graphics subsystem. The exploitation can be carried out through normal system usage if the attacker can supply malicious data or trigger specific kernel operations. [1]

Impact

Successful exploitation of this vulnerability can lead to denial of service (system crash or hang), information disclosure (leakage of kernel memory contents), or data tampering (corruption of critical system data). The impact can range from a system crash to the exposure of sensitive information or the corruption of system integrity. [1]

Mitigation

NVIDIA has released fixed driver versions to address this vulnerability. Users should upgrade to the following versions or later: for the 470 series, upgrade to 470.182.03; for the 515 series, upgrade to 515.105.01; for the 525 series, upgrade to 525.105.17; for the 530 series, upgrade to 530.41.03. Gentoo users can emerge the updated drivers as per the instructions in the Gentoo security advisory. No workaround is currently available. [1]