CVE-2022-42261

Vulnerability

CVE-2022-42261 is a vulnerability in the NVIDIA vGPU software, specifically in the Virtual GPU Manager (vGPU plugin). The issue is that an input index is not validated, which can lead to a buffer overrun. This affects NVIDIA vGPU versions as distributed with NVIDIA Drivers. The vulnerability is present in the vGPU plugin that manages virtual GPU instances within the host kernel [1].

Exploitation

An attacker requires local access to the system where the NVIDIA vGPU plugin is loaded. The attacker must be able to interact with the vGPU manager, potentially through a virtual machine that has access to the vGPU. By supplying an invalid index, the attacker triggers a buffer overrun. The exact sequence of steps is not detailed but involves providing an out-of-range index value to the vGPU manager [1].

Impact

Successful exploitation can lead to data tampering, information disclosure, or denial of service. The attacker could corrupt data, read sensitive information from memory, or cause the system to crash. The compromise occurs at the host level, potentially affecting all virtual machines using the vGPU [1].

Mitigation

NVIDIA has released fixed versions of the driver. For Gentoo Linux, users should upgrade to the following versions or later: x11-drivers/nvidia-drivers-470.182.03:0/470, x11-drivers/nvidia-drivers-515.105.01:0/515, x11-drivers/nvidia-drivers-525.105.17:0/525, or x11-drivers/nvidia-drivers-530.41.03:0/530 [1]. Users of other distributions should apply the patches from NVIDIA. There is no known workaround for this vulnerability [1].