CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
35.7%
NVIDIA has released a software update for NVIDIA Omniverse™ Kit to address a security issue that may lead to code execution, information disclosure, data tampering, and denial of service.
To protect your system, open the Omniverse Launcher and apply the appropriate update.
Go to NVIDIA Product Security.
This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.
CVE ID | Description | Base Score | Vector |
---|---|---|---|
CVE‑2022‑42268 | Omniverse Kit contains a vulnerability in the reference applications Create, Audio2Face, Isaac Sim, View, Code, and Machinima. These applications allow executable Python code to be embedded in Universal Scene Description (USD) files to customize all aspects of a scene. If a user opens a USD file that contains embedded Python code in one of these applications, the embedded Python code automatically runs with the privileges of the user who opened the file. As a result, an unprivileged remote attacker could craft a USD file containing malicious Python code and persuade a local user to open the file, which may lead to information disclosure, data tampering, and denial of service. | 7.8 | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.
The following table lists the NVIDIA software products affected, software versions affected, and the updated version that includes this security update.
The updated versions in the table disable the functionality that automatically runs embedded Python code when a USD file is opened. If you enable this functionality, open USD files only from trusted sources.
CVE IDs Addressed | Software Product | Affected Versions | Updated Version |
---|---|---|---|
CVE‑2022‑42268 | Omniverse Audio2Face | All versions prior to 2022.2 | 2022.2 |
Omniverse Create | All versions prior to 2022.3 | 2022.3 | |
NVIDIA Isaac Sim | All versions prior to 2022.2.0 | 2022.2.0 | |
Omniverse Machinima | All versions prior to 2022.3 | 2022.3 | |
Omniverse Code | All versions prior to 2022.3.0 | 2022.3.0 | |
Omniverse View | All versions prior to 2022.2.1 | 2022.2.1 |
To protect your system, update your software by following the instructions for the launcher that you are using:
The IT Managed Launcher is designed for air-gapped networks. NVIDIA will notify enterprise contacts by email when an update is available.
After the application is updated, any extensions that support running embedded Python code in USD files will be disabled. To enable these extensions, follow the instructions in the Extension Manager Documentation.
If you cannot install the updated versions, manually disable the following extensions:
omni.kit.embedded_script
omni.script.prim
omni.graph.scriptnode
To disable these extensions, follow the instructions and video in the Extension Manager Documentation.
CVE‑2022‑42268 - NVIDIA thanks Shashi Bhushan for reporting this issue.