Lenovo Security Advisory: LEN-27326
Potential Impact: Denial of service, escalation of privileges, or information disclosure.
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2019-5675, CVE-2019-5676, CVE-2019-5677
Summary Description:
NVIDIA has released a software update to address potential security vulnerabilities in NVIDIA Windows GPU Display Driver. These vulnerabilities are summarized below.
CVE-2019-5675:
NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer(nvlddmkm.sys) handler for DxgkDdiEscape where the product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes, which may lead to denial of service, escalation of privileges, or information disclosure.
CVE-2019-5676:
NVIDIA Windows GPU Display Driver installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (aka binary planting or DLL preloading attack), leading to escalation of privileges via code execution
CVE-2019-5677:
NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial-of-service.
Mitigation Strategy for Customers (what you should do to protect yourself):
NVIDIA recommends updating to the version of NVIDIA Windows GPU Display Driver (or later) described for your system in the product impact section.
Product Impact: