NvidiaNVIDIA:5384Security Bulletin: NVIDIA GeForce Experience - January 2023
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
EPSS
Percentile
20.9%
NVIDIA has released a software security update for NVIDIA® GeForce Experience™ software. This update addresses issues that may lead to code execution, information disclosure, data tampering, and denial of service.
To protect your system, download and install this software update through the GeForce Experience Downloads page, or open the client to automatically apply the security update.
Go to NVIDIA Product Security.
Details
This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.
| CVE ID | Description | Base Score | Vector |
|---|---|---|---|
| CVE‑2022‑42291 | NVIDIA GeForce Experience contains a vulnerability in the installer, where a user installing the NVIDIA GeForce Experience software may inadvertently delete data from a linked location, which may lead to data tampering. An attacker does not have explicit control over the exploitation of this vulnerability, which requires the user to explicitly launch the installer from the compromised directory. | 8.2 | AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H |
| CVE‑2022‑31611 | NVIDIA GeForce Experience contains an uncontrolled search path vulnerability in all its client installers, where an attacker with user level privileges may cause the installer to load an arbitrary DLL when the installer is launched. A successful exploit of this vulnerability could lead to escalation of privileges and code execution. | 6.8 | AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H |
| CVE‑2022‑42292 | NVIDIA GeForce Experience contains a vulnerability in the NVContainer component, where a user without administrator privileges can create a symbolic link to a file that requires elevated privileges to write to or modify, which may lead to denial of service, escalation of privilege or limited data tampering. | 5.0 | AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.
Security Updates
The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.
Download the updates through the GeForce Experience Downloads page, or open the client to automatically apply the security update.
| CVE IDs Addressed | Software Product | Operating System | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2022‑42291 | ||||
| CVE‑2022‑31611 | ||||
| CVE‑2022‑42292 | GeForce Experience | Windows | All versions prior to 3.27.0.112 | 3.27.0.112 |
Notes:
- Earlier software releases that support this product are also affected. If you are using an earlier release, upgrade to the latest release.
Acknowledgements
CVE‑2022‑42291 and CVE‑2022‑31611: NVIDIA thanks Minse Kim of DNSLab, Korea University for reporting these issues.
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
EPSS
Percentile
20.9%