Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in the NVIDIA D3D10 driver. This driver supports multiple GPUs that NVIDIA produces. An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V RemoteFX on Windows machines.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

NVIDIA D3D10 driver nvwgf2umx_cfg.dll nvwg MOV code execution vulnerability (TALOS-2020-1035/CVE-2020-5981)

An exploitable code execution vulnerability exists in the nvwg MOV functionality of the NVIDIA D3D10 driver, version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Read the complete vulnerability advisory here for additional information.

NVIDIA D3D10 driver nvwgf2umx_cfg.dll nvwg MOV2 code execution vulnerability (TALOS-2020-1036/CVE-2020-5981)

An exploitable code execution vulnerability exists in the nvwg MOV2 functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Read the complete vulnerability advisory here for additional information.

NVIDIA D3D10 driver nvwgf2umx_cfg.dll nvwg MUL code execution vulnerability (TALOS-2020-1037/CVE-2020-5981)

An exploitable code execution vulnerability exists in the nvwg MUL functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Read the complete vulnerability advisory here for additional information.

NVIDIA D3D10 Driver nvwgf2umx_cfg.dll nvwg DCL_CONSTANT_BUFFER code execution vulnerability (TALOS-2020-1038/CVE-2020-5981)

An exploitable code execution vulnerability exists in the nvwg DCL_CONSTANT_BUFFER functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Read the complete vulnerability advisory here for additional information.

NVIDIA D3D10 Driver nvwgf2umx_cfg.dll nvwg FTOI code execution vulnerability (TALOS-2020-1039/CVE-2020-5981)

An exploitable code execution vulnerability exists in the nvwg functionality of NVIDIA Corporation NVIDIA D3D10 driver nvwgf2umx_cfg.dll, version 442.50 - 26.21.14.4250. A specially crafted shader could allow an adversary to execute remote code. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects the NVIDIA D3D10 driver, version 442.50 - 26.21.14.4250.

Coverage

The following SNORTⓇ rules from an earlier rule release will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 53517 - 53524, 53535 - 53538