Multiple vulnerabilities in NVIDIA CUDA Toolkit

1) Out-of-bounds read

EUVDB-ID: #VU104208

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53870

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the cuobjdump binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU104209

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53871

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the nvdisasm binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

EUVDB-ID: #VU104210

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53872

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the cuobjdump binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

EUVDB-ID: #VU104216

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53874

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the cuobjdump binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Out-of-bounds read

EUVDB-ID: #VU104217

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53875

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the cuobjdump binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds read

EUVDB-ID: #VU104218

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53876

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the nvdisasm binary. A remote attacker can create a specially crafted ELF file, trick the victim into opening it, trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) NULL pointer dereference

EUVDB-ID: #VU104219

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53877

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the nvdisasm binary. A remote attacker can trick a victim to open a specially crafted ELF file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU104220

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53878

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the cuobjdump binary. A remote user can trick a victim to open a specially crafted ELF file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Input validation error

EUVDB-ID: #VU104221

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53879

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the cuobjdump binary. A remote user can trick a victim to open a specially crafted ELF file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CUDA Toolkit: 12.0.0 - 12.6.68

CPE2.3

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5594

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	Medium
Patch available	YES
Number of vulnerabilities	9
CVE-ID	CVE-2024-53870 CVE-2024-53871 CVE-2024-53872 CVE-2024-53874 CVE-2024-53875 CVE-2024-53876 CVE-2024-53877 CVE-2024-53878 CVE-2024-53879
CWE-ID	CWE-125 CWE-476 CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	CUDA Toolkit Universal components / Libraries / Software for developers
Vendor	nVidia