Memory corruption due to an unsanitized pointer in the NVIDIA display driver

Lenovo Security Advisory: LEN-3313

Potential Impact: Escalation of privileges

**Severity:**Medium

**Summary:**A vulnerability has been found in the NVIDIA driver that could be used to allow a local, non-privileged user to corrupt kernel memory. This could be used to gain local root privileges.

Description:

A local user can issue a specially crafted input/output control (IOCTL) to write a 32-bit integer value stored in the kernel driver to a user-specified memory location, potentially in the kernel address space. The user has a limited ability to influence the value of the integer that is written.

Exploit Scope and Risk:
This issue is present on Windows and Linux operating systems and affects all currently supported NVIDIA driver releases and all GPUs. This issue does not affect Android-based NVIDIA Tegra products

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo is currently qualifying the updated NVIDIA drivers across all applicable impacted products. The updated drivers will be posted to the Lenovo Support site for affected products as qualification testing is completed. Review the Product Impact section below for the list of affected products. Once the driver has been qualified for the affected product, you will be able to link directly to the driver download page. You should visit this security advisory often to find links to the latest qualified driver for your product.

If this vulnerability puts you at an unacceptable level of risk and you want to mitigate before the Lenovo-certified driver is available for your product, you can visit the NVIDIA security webpage (www.nvidia.com/security) to download and install the reference driver. Please be aware that the reference driver has not been qualified by Lenovo. If you experience problems as a result of installing the driver from the NVIDIA support site, please contact NVIDIA directly. When the Lenovo-certified driver is available for download from the Lenovo Support site, Lenovo recommends that you uninstall the NVIDIA reference driver, and upgrade to the Lenovo Support site version.