Potential security vulnerabilities in some Intel® QuickAssist Technology (QAT) drivers for Windows may allow escalation of privilege or information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.
CVEID: CVE-2022-41699
Description: Incorrect permission assignment for critical resource in some Intel® QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H****
CVEID: CVE-2022-40972
Description: Improper access control in some Intel® QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-41771****
Description: Incorrect permission assignment for critical resource in some Intel® QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2022-41621****
Description: Improper access control in some Intel® QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 3.3 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Intel® QAT drivers for Windows before version 1.9.0.
Intel recommends updating Intel® QAT drivers for Windows to version 1.9.0 or later.
Updates are available for download at this location:
<https://www.intel.com/content/www/us/en/download/19732>
Intel would like to thank Aobo Wang of Chaitin Security Research Lab (CVE-2022-41771, CVE-2022-41699, CVE-2022-41621) and Falcon Corruption @falconCorrup (CVE-2022-40972) for reporting these issues.****
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.