NvidiaNVIDIA:5456Security Bulletin: NVIDIA CUDA Toolkit - April 2023
6.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
0.0005 Low
EPSS
Percentile
16.2%
NVIDIA has released a software update for NVIDIA® CUDA® Toolkit software. This update addresses security issues that may lead to code execution, limited denial of service, and limited information disclosure.
To protect your system, download and install this software update from the CUDA Toolkit Downloads page.
Go to NVIDIA Product Security.
Details
This section summarizes the potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors follow CVSS v3.1 standards.
| CVE ID | Description | Base Score | Vector and CWE |
|---|---|---|---|
| CVE‑2023‑25512 | NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds memory read by running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure. |
5.3 | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| CWE‑125 | |||
| CVE‑2023‑25513 | NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds read by tricking a user into running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure. |
5.3 | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| CWE‑125 | |||
| CVE‑2023‑25514 | NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds read by tricking a user into running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure. |
5.3 | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| CWE‑125 | |||
| CVE‑2023‑25510 | NVIDIA CUDA Toolkit SDK for Linux and Windows contains a NULL pointer dereference in cuobjdump, where a local user running the tool against a malformed binary may cause a limited denial of service. |
3.3 | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| CWE‑476 | |||
| CVE‑2023‑25511 | NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability in cuobjdump, where a division-by-zero error may enable a user to cause a crash, which may lead to a limited denial of service. |
3.3 | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| CWE‑369 |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.
Security Updates
The following table lists the software products and versions affected, and the updated version available from nvidia.com that includes this security update.
Download the update from the CUDA Toolkit Downloads page to apply the security update.
| CVEs Addressed | Software Product | Operating System | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2023‑25510 | ||||
| CVE‑2023‑25511 | ||||
| CVE‑2023‑25514 | NVIDIA CUDA Toolkit | Linux, Windows | All versions prior to 12.1 Update 1 | 12.1 Update 1 |
| CVE‑2023‑25512 | NVIDIA CUDA Toolkit | Linux, Windows | All versions prior to 12.1 | 12.1 |
| CVE‑2023‑25513 | NVIDIA CUDA Toolkit | Linux, Windows | All versions prior to 12.0 Update 1 | 12.0 Update 1 |
Notes
- Earlier software releases of this product are also affected. If you are using an earlier release, upgrade to the latest release version.
Acknowledgements
NVIDIA thanks the following people for reporting these issues:
- CVE‑2023‑25510, CVE‑2023‑25511: zz zr, Zhaozixi105
- CVE‑2023‑25512: Luca Di Bartolomeo @ EPFL, Zhaozixi105
- CVE‑2023‑25513: Luca Di Bartolomeo @ EPFL
| CPE | Name | Operator | Version |
|---|---|---|---|
| nvidia cuda toolkit | lt | 12.1 | |
| nvidia cuda toolkit | lt | 12.0 |
Related
6.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
0.0005 Low
EPSS
Percentile
16.2%