NVIDIA has released an update security for the application Windows NVIDIA GeForce Experience (GFE) to address vulnerabilities that could allow attackers to execute arbitrary code, escalate privileges, gain access to sensitive information, or cause a denial of service (DoS) condition on systems.
NVIDIA GFE is a GeForce GTX graphics card utility that "updates drivers, automatically optimizes your game settings and gives you the easiest way to share your greatest gaming moments with your friends," according to NVIDIA.
While these flaws require attackers to have local user access and cannot be exploited remotely, they can be exploited with malicious tools deployed on systems running vulnerable versions of the NVIDIA GFE application.
In addition, the attacks that will exploit these bugs have low complexity according to NVIDIA, while also requiring low privileges and no user interaction.
CVE IDs | Description | Base Score |
---|---|---|
CVE ‑ 2020‑5977 | NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and disclosure information. | 8.2 |
CVE ‑ 2020‑5990 | NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or disclosure information. | 7.3 |
CVE ‑ 2020‑5978 | NVIDIA GeForce Experience contains a vulnerability in it services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges. |
3.2 |