CVE-2016-8812
NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback / Local Privilege Escalation
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before GFE 3.1.0.52 contains a vulnerability in the kernel mode layer (nvstreamkms.sys) allowing a user to cause a stack buffer overflow with specially crafted executable paths, leading to a denial of service or escalation of privileges.
Para los productos NVIDIA Quadro, NVS y GeForce, NVIDIA Windows GPU Display Driver R340 before 342.00, R367 before 369.59, and R375 en versiones anteriores a 375.63 contiene una vulnerabilidad en el controlador de la capa de modo kernel (nvlddmkm.sys) para DxgDdiEscape ID 0x7000014 donde un valor pasado de un usuario al controlador es utilizado sin validación como el índice de una matriz interna, conduciendo a una denegación de servicio o potencial escalada de privilegios.
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer that is at least 255 characters long. The the maximum component paths of most filesystems on Windows have a limit that is <= 255 though, so this shouldn't be an issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes as the path delimiter, which means that the extracted filename here can be "a/b/c/...", leading to a buffer overflow. Additionally, this function has no stack cookie.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-10-18 CVE Reserved
- 2016-10-29 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/93986 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/40660 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://nvidia.custhelp.com/app/answers/detail/a_id/4247 | 2017-09-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 910m Search vendor "Nvidia" for product "Geforce 910m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 920m Search vendor "Nvidia" for product "Geforce 920m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 920mx Search vendor "Nvidia" for product "Geforce 920mx" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 930m Search vendor "Nvidia" for product "Geforce 930m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 930mx Search vendor "Nvidia" for product "Geforce 930mx" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 940m Search vendor "Nvidia" for product "Geforce 940m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 940mx Search vendor "Nvidia" for product "Geforce 940mx" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce 945m Search vendor "Nvidia" for product "Geforce 945m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gt 710 Search vendor "Nvidia" for product "Geforce Gt 710" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gt 730 Search vendor "Nvidia" for product "Geforce Gt 730" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 1050 Search vendor "Nvidia" for product "Geforce Gtx 1050" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 1060 Search vendor "Nvidia" for product "Geforce Gtx 1060" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 1070 Search vendor "Nvidia" for product "Geforce Gtx 1070" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 1080 Search vendor "Nvidia" for product "Geforce Gtx 1080" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 950m Search vendor "Nvidia" for product "Geforce Gtx 950m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 960m Search vendor "Nvidia" for product "Geforce Gtx 960m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Geforce Gtx 965m Search vendor "Nvidia" for product "Geforce Gtx 965m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Nvs 310 Search vendor "Nvidia" for product "Nvs 310" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Nvs 315 Search vendor "Nvidia" for product "Nvs 315" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Nvs 510 Search vendor "Nvidia" for product "Nvs 510" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Nvs 810 Search vendor "Nvidia" for product "Nvs 810" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro K1200 Search vendor "Nvidia" for product "Quadro K1200" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro K420 Search vendor "Nvidia" for product "Quadro K420" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro K620 Search vendor "Nvidia" for product "Quadro K620" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M1000m Search vendor "Nvidia" for product "Quadro M1000m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M2000 Search vendor "Nvidia" for product "Quadro M2000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M2000m Search vendor "Nvidia" for product "Quadro M2000m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M3000m Search vendor "Nvidia" for product "Quadro M3000m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M4000 Search vendor "Nvidia" for product "Quadro M4000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M4000m Search vendor "Nvidia" for product "Quadro M4000m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M5000 Search vendor "Nvidia" for product "Quadro M5000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M5000m Search vendor "Nvidia" for product "Quadro M5000m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M500m Search vendor "Nvidia" for product "Quadro M500m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M5500 Search vendor "Nvidia" for product "Quadro M5500" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M6000 Search vendor "Nvidia" for product "Quadro M6000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro M600m Search vendor "Nvidia" for product "Quadro M600m" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro P5000 Search vendor "Nvidia" for product "Quadro P5000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Quadro P6000 Search vendor "Nvidia" for product "Quadro P6000" | - | - |
Safe
|
| Nvidia Search vendor "Nvidia" | Geforce Experience Search vendor "Nvidia" for product "Geforce Experience" | * | - |
Affected
| in | Nvidia Search vendor "Nvidia" | Titan X Search vendor "Nvidia" for product "Titan X" | - | - |
Safe
|