NVIDIA has released a security update for the NVIDIA GeForce Windows application experience (GFE) to address vulnerabilities that could allow attackers to execute arbitrary code, escalate privileges, gain access to sensitive information, or cause a denial of service (DoS) condition on systems.
NVIDIA GFE is a GeForce GTX graphics card utility that "updates drivers, automatically optimizes your game settings and gives you the easiest way to share your greatest gaming moments with your friends," according to NVIDIA.
While these flaws require attackers to have local user access and cannot be exploited remotely, they can be used maliciously tools that are deployed on systems running vulnerable versions of the NVIDIA GFE application.
In addition, the attacks that will take advantage of these errors have low complexity according to NVIDIA, while also requiring low privileges and no need to interact with users.
CVE IDs | Description | Base Score |
---|---|---|
CVE ‑ 2020‑5977 | NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and disclosure information. | 8.2 |
CVE ‑ 2020‑5990 | NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or disclosure information. | 7.3 |
CVE ‑ 2020‑5978 | NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges. |
3.2 |