Security Bulletin: NVIDIA GPU Display Driver - May 2019

NVIDIA has released a software security update for the NVIDIA GPU Display Driver. This update addresses issues that may lead to denial of service, escalation of privileges, code execution, or information disclosure. To protect your system, download and install this software update through NVIDIA Driver Downloads. Go to NVIDIA Product Security.

Details

This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS V3 standards.

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products affected, versions affected, and the updated versions that include this security update. Download the updates from the NVIDIA Driver Downloads page.

Windows

392.53

CVE‑2019‑5675 CVE‑2019‑5676 CVE‑2019‑5677 | Tesla | Windows | All R418 versions prior to 425.25 | 425.25
All R410 versions prior to 412.36 | 412.36

Notes:

• In addition to updated versions listed above, Windows driver versions 430.23, 425.25, and 422.02 provided by computer hardware vendors also include the security update.
• If you are using an unsupported version or an earlier unsupported branch, upgrade to the latest supported version. To identify products that are no longer supported check the product EOL pages Windows legacy GPU releases and Unix legacy GPU releases, or contact NVIDIA Support.
• The table above may not be a comprehensive list of all affected versions or branches and may be updated as more information becomes available.
• R390 driver branch versions include updates for CVE-2019-5666, previously disclosed in Security Bulletin: NVIDIA GPU Display Driver - February 2019.
• CVE-2019-5676 - If the GPU driver is installed on Windows 7, Microsoft KB2533623 must be installed as a prerequisite to address this CVE. This CVE does not affect driver packages provided by your hardware vendor and applies only to driver packages that are downloaded from the NVIDIA Driver Downloads public web page.

Mitigations

None. See Security Updates for the versions to install.

Acknowledgements

CVE-2019-5676: NVIDIA thanks multiple reporters for reporting this issue: Kushal Arvind Shah of Fortinet’s FortiGuard Labs; Łukasz ‘zaeek’; Yasin Soliman; Marius Gabriel Mihai; and Stefan Kanthak.