The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, information disclosure and black death (we made the last one up).
All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector.
Exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.
They can be exploited to render machines running vulnerable drivers or software temporarily unusable by triggering denial-of-service states or to gain access to otherwise unobtainable information.
Nvidia has addressed the security issues in all affected software products and platforms with the exception of those tracked as CVE‑2021‑1052, CVE‑2021‑1053, and CVE‑2021‑1056 impacting the Linux GPU Display Driver for Tesla GPUs which will receive an update driver version starting with January 18, 2021.
The bugs come with CVSS V3 base scores ranging from 5.3 to 8.4, with11 of them having received a high-risk assessment from NVIDIA.
Nvidia's security bulletin says that the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation".
Nvidia recommends customers to update their GeForce, Nvidia RTX, Quadro, NVS, and Tesla GPU display drivers, as well as Virtual GPU Manager and guest driver software using the security updates available on the Nvidia Driver Downloads page.
The company says that some customers who will not patch the flaws manually may also receive security updates bundled with Windows GPU display driver 460.84, 457.49, and 452.66 versions from their computer hardware vendors.