⚡ TL;DR | Go Straight to the NVIDIA GPU Vulnerabilities Report
NVIDIA released a new security advisory detailing 10 new vulnerabilities. The vulnerabilities have a CVSS base score ranging from 8.5 down to 5.5 and can lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
The first severe vulnerability CVE-2022-28181 has the highest CVSS base score at 8.5. This vulnerability details a flaw in the kernel mode layer for NVIDIA GPU display drivers that allows an attacker that has gained access to the network to use a specially crafted shader to perform an out-of-bounds write. This out-of-bound write can be used to perform code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
The second severe vulnerability is CVE-2022-28182 and also has a CVSS base score of 8.5. This vulnerability is almost identical to the previous vulnerability in the method that can be used to exploit it. However, the issue here lies in the DirectX11 user mode driver (nvwgf2um/x.dll).
Discover Vulnerable Devices
NVIDIA’s security advisory contains a list of all display driver versions and the new driver versions that contain a fix. We’ve used this information to create a special Lansweeper report that will provide a list of all devices in your environment that are affected by the vulnerabilities so you have an actionable list of devices that require a display driver update.
NVIDIA May 2022 CVE Codes & Titles
| CVE ID | Description | Base Score |
| CVE-2022-28181 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. | 8.5 |
| CVE-2022-28182 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. | 8.5 |
| CVE-2022-28183 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure. | 7.7 |
| CVE-2022-28184 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. | 7.1 |
| CVE-2022-28185 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering. | 6.8 |
| CVE-2022-28186 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service or data tampering. | 6.1 |
| CVE-2022-28187 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where the memory management software does not release a resource after its effective lifetime has ended, which may lead to denial of service. | 5.5 |
| CVE-2022-28188 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service. | 5.5 |
| CVE-2022-28189 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash. | 5.5 |
| CVE-2022-28190 | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service. | 5.5 |