Vulnerability Details : CVE-2022-42255

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

Vulnerability category: Memory CorruptionDenial of serviceInformation leak

Published 2022-12-30 23:15:11

Updated 2023-10-19 01:21:45

Source NVIDIA Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-42255

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 7 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-42255

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	nvd@nist.gov
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
5.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	1.8	3.4	psirt@nvidia.com
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2022-42255

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Assigned by: nvd@nist.gov (Primary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: psirt@nvidia.com (Secondary)

References for CVE-2022-42255

https://security.gentoo.org/glsa/202310-02

NVIDIA Drivers: Multiple Vulnerabilities (GLSA 202310-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://nvidia.custhelp.com/app/answers/detail/a_id/5415

Security Bulletin: NVIDIA GPU Display Driver - November 2022 | NVIDIA
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2022-42255

Nvidia » Virtual Gpu
Versions from including (>=) 12.0 and before (<) 13.6
cpe:2.3:a:nvidia:virtual_gpu:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Hypervisor » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Redhat » Enterprise Linux Kernel-based Virtual Machine » Version: N/A
When used together with: Vmware » Vsphere » Version: N/A
Nvidia » Virtual Gpu
Versions from including (>=) 14.0 and before (<) 14.4
cpe:2.3:a:nvidia:virtual_gpu:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Hypervisor » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Redhat » Enterprise Linux Kernel-based Virtual Machine » Version: N/A
When used together with: Vmware » Vsphere » Version: N/A
Nvidia » Virtual Gpu
Versions before (<) 11.11
cpe:2.3:a:nvidia:virtual_gpu:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Hypervisor » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Redhat » Enterprise Linux Kernel-based Virtual Machine » Version: N/A
When used together with: Vmware » Vsphere » Version: N/A
Nvidia » Cloud Gaming
Versions before (<) 525.60.11
cpe:2.3:a:nvidia:cloud_gaming:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
Nvidia » Cloud Gaming
Versions before (<) 525.60.12
cpe:2.3:a:nvidia:cloud_gaming:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Hypervisor » Version: N/A
When used together with: Redhat » Enterprise Linux Kernel-based Virtual Machine » Version: N/A