PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices
offers software-transparent compression that enables cross-origin
pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter
specification, aka a GPU.zip issue. For example, attackers can sometimes
accurately determine text contained on a web page from one origin if they
control a resource from a different origin.
Author | Note |
---|---|
rodrigo-zaiden | GPU.zip blog posts claims that all GPUs are likely affected but none responded to it yet. added nvidia drivers tracking, but later updates will be necessary for a proper triage over nvidia and other GPUs. |
mdeslaur | some binary drivers are no longer support by NVidia, so they are marked as ignored here This CVE applied to Imagination hardware. While similar issues may apply to Nvidia, this CVE doesn’t seem to be used for it, so marking nvidia packages as not-affected. |
arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/
blog.imaginationtech.com/reducing-bandwidth-pvric/
github.com/UT-Security/gpu-zip
launchpad.net/bugs/cve/CVE-2023-44216
news.ycombinator.com/item?id=37663159
nvd.nist.gov/vuln/detail/CVE-2023-44216
security-tracker.debian.org/tracker/CVE-2023-44216
www.cve.org/CVERecord?id=CVE-2023-44216
www.hertzbleed.com/gpu.zip/
www.hertzbleed.com/gpu.zip/GPU-zip.pdf
www.w3.org/TR/filter-effects-1/