CVE-2022-42256

Vulnerability

An integer overflow vulnerability exists in the kernel mode layer (nvidia.ko) of the NVIDIA GPU Display Driver for Linux. The flaw occurs during index validation, potentially leading to memory corruption. Affected versions include driver branches 470, 515, 525, and 530 prior to the fixed releases listed in the Gentoo advisory [1].

Exploitation

An attacker with local user access to a system running an affected NVIDIA driver can trigger the integer overflow by interacting with the driver's kernel interface, though the exact sequence of steps required is not detailed in public references. No user interaction beyond normal system usage is specified; the exploitation likely involves passing crafted inputs to the driver's IOCTL handlers [1].

Impact

Successful exploitation may cause denial of service (system crash), information disclosure (kernel memory leak), or data tampering (corruption of kernel structures). The scope is limited to confidentiality, integrity, and availability impacts on the local system, with an attack vector requiring local access as per the CVSS specification [1].

Mitigation

The vulnerabilities are addressed in driver versions 470.182.03, 515.105.01, 525.105.17, and 530.41.03 for the respective branches. Gentoo users can upgrade by running the emerge commands provided in the advisory [1]. No workaround is available; upgrading to the fixed drivers is the only mitigation.