---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerabilities in NVIDIA GPU Display Driver' 
version: '1.0' 
number: '2022-083'
original_date: 'November 28, 2022'
date: 'December 1, 2022'
---

_History:_

* _01/12/2022 --- v1.0 -- Initial publication_

# Summary

On November 28, NVIDIA released a software security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation [1].

# Technical Details

The most critical vulnerabilities are:

- **CVE-2022-34669** (CVSS v3.1: 8.8) – Locally exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to access or modify files critical to the application, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service;
- **CVE-2022-34671** (CVSS v3.1: 8.5) – Remotely exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to cause an out-of-bounds write, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service.

# Affected Products

NVIDIA announced in its Security Bulletin [2] all affected driver versions.

# Recommendations

CERT-EU recommends to check NVIDIA's Security Bulletin and apply the released security updates [2].

# References

[1] <https://www.bleepingcomputer.com/news/security/nvidia-releases-gpu-driver-update-to-fix-29-security-flaws/>

[2] <https://nvidia.custhelp.com/app/answers/detail/a_id/5415>