NVIDIA Linux GPU Display Driver contains missing permissions check and improper validation vulnerabilities - us

Lenovo Security Advisory: LEN-10962

Potential Impact: Privilege escalation

Severity: Medium

**Scope of Impact:**Industry-Wide

CVE Identifier: CVE-2016-7382, CVE-2016-7389

Summary Description:

The NVIDIA GPU Display Driver for Linux contains two privilege escalation vulnerabilities.

CVE-2016-7382

NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer (nvidia.ko) handler where a missing permissions check may allow users to gain access to arbitrary physical memory, leading to an escalation of privileges.

CVE-2016-7389

NVIDIA GPU Display Driver on Linux contains a vulnerability in the kernel mode layer (nvidia.ko) handler for mmap() where improper input validation may allow users to gain access to arbitrary physical memory, leading to an escalation of privileges.

See the NVIDIA security advisory located here for more details.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo is currently qualifying the updated NVIDIA drivers across all applicable impacted products. The updated drivers will be posted to the Lenovo Support site for affected products as quality assurance testing is completed. Review the Product Impact section below for the list of product fixes. Once the driver has been qualified for the affected product, you will be able to link directly to the driver download page. You should visit this security advisory often to find links to the latest qualified driver for your product.

Product Impact: