Arch Linux Security Advisory ASA-201709-22 ========================================== Severity: High Date : 2017-09-28 CVE-ID : CVE-2017-6266 CVE-2017-6267 CVE-2017-6272 Package : nvidia Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-418 Summary ======= The package nvidia before version 384.90-1 is vulnerable to multiple issues including privilege escalation and denial of service. Resolution ========== Upgrade to 384.90-1. # pacman -Syu "nvidia>=384.90-1" The problems have been fixed upstream in version 384.90. Workaround ========== None. Description =========== - CVE-2017-6266 (denial of service) NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where improper access controls could allow unprivileged users to cause a denial of service. - CVE-2017-6267 (denial of service) NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where an incorrect initialization of internal objects can cause an infinite loop, which may lead to a denial of service. - CVE-2017-6272 (privilege escalation) NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where a value passed from a user to the driver is not correctly validated and used as the index to an array, which may lead to a denial of service or possible escalation of privileges. Impact ====== A remote attacker who is able to invoke certain graphics API calls may be able to escalate privileges or crash the system on the affected host. References ========== https://nvidia.custhelp.com/app/answers/detail/a_id/4544 https://security.archlinux.org/CVE-2017-6266 https://security.archlinux.org/CVE-2017-6267 https://security.archlinux.org/CVE-2017-6272