CVE-2022-28181 Overview
CVE-2022-28181 affects the NVIDIA GPU Display Driver for Windows and Linux. The flaw resides in the kernel mode layer and allows an unprivileged user to trigger an out-of-bounds write [CWE-787] by submitting a specially crafted shader. Successful exploitation can lead to remote code execution, privilege escalation, denial of service, information disclosure, and data tampering. The scope extends beyond the driver, affecting other system components. NVIDIA Virtual GPU products are also impacted.
Critical Impact
A network-reachable, low-privileged attacker can execute code in kernel context and pivot beyond the driver's security boundary, compromising the entire host.
Affected Products
- NVIDIA GPU Display Driver for Windows
- NVIDIA GPU Display Driver for Linux
- NVIDIA Virtual GPU (vGPU) software, including version 14.0
Discovery Timeline
- 2022-05-17 - CVE-2022-28181 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-28181
Vulnerability Analysis
The vulnerability is an out-of-bounds write [CWE-787] in the kernel mode layer of the NVIDIA GPU Display Driver. The driver processes shader programs supplied from user space and passes them through into kernel-resident GPU command handling. When a maliciously crafted shader is submitted, the kernel writes data past the bounds of an allocated buffer. This memory corruption occurs inside a privileged execution context, enabling arbitrary kernel memory modification.
Because the attack vector is rated as network-reachable with a scope change, an attacker does not require local interactive access. Remote rendering pipelines, virtualized GPU workloads, and vGPU guests can deliver the crafted shader to the vulnerable kernel component. The combination of low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability makes this flaw practical to weaponize in shared GPU and cloud-rendering environments.
Root Cause
The root cause is insufficient validation of shader-derived data before it is written to a kernel buffer. The driver does not enforce strict bounds on attacker-controlled offsets or sizes, allowing memory corruption adjacent to or beyond the destination structure. This pattern affects shared kernel data and can be steered toward control structures used for execution flow.
Attack Vector
An attacker with low privileges on a system that exposes the GPU driver—either directly or through a virtualized GPU service—submits a crafted shader to the rendering pipeline. The driver parses and dispatches the shader inside the kernel mode layer, where the out-of-bounds write occurs. In multi-tenant vGPU deployments, a guest can use this path to escape the guest boundary and impact the hypervisor host or sibling tenants.
No public proof-of-concept code is available for CVE-2022-28181. For technical specifics, consult the NVIDIA Security Bulletin and the Gentoo GLSA 202310-02.
Detection Methods for CVE-2022-28181
Indicators of Compromise
- Unexpected crashes, bug checks, or kernel panics referencing NVIDIA driver modules such as nvlddmkm.sys on Windows or nvidia.ko on Linux.
- Sudden GPU driver restarts or TDR (Timeout Detection and Recovery) events correlated with unprivileged process activity.
- Anomalous shader compilation or submission patterns from non-graphics workloads, particularly in vGPU guest VMs.
Detection Strategies
- Inventory hosts running NVIDIA GPU Display Driver and vGPU software, then compare installed versions against the fixed releases listed in NVIDIA Security Bulletin 5353.
- Hunt for kernel-mode exceptions originating in NVIDIA driver call stacks within Windows Event Logs and Linux dmesg output.
- Monitor process lineage where low-privileged processes invoke GPU APIs immediately before a driver fault or privilege change.
Monitoring Recommendations
- Forward kernel crash telemetry, WHEA events, and kern.log entries to a centralized analytics platform for correlation.
- Track child process creation under dwm.exe, csrss.exe, or graphics services after suspected exploitation attempts.
- In virtualized environments, alert on vGPU guests triggering repeated host-side driver faults, which can indicate exploitation probing.
How to Mitigate CVE-2022-28181
Immediate Actions Required
- Apply the patched NVIDIA GPU Display Driver and vGPU software versions documented in NVIDIA Security Bulletin 5353.
- Prioritize remediation on multi-tenant hosts, virtual desktop infrastructure, and cloud rendering nodes where untrusted workloads can submit shaders.
- Audit user privileges on GPU-equipped systems and remove unnecessary local accounts that can interact with the driver.
Patch Information
NVIDIA released fixed driver and vGPU software builds addressed in the May 2022 security update. Refer to NVIDIA Security Bulletin 5353 for the exact branch-by-branch versions. Gentoo Linux users should apply the updates referenced in Gentoo GLSA 202310-02.
Workarounds
- Restrict GPU API access on shared systems to trusted users until patches are deployed.
- Disable or isolate vGPU guests that do not require accelerated graphics workloads.
- Block untrusted shader execution paths in rendering services that expose GPU compute to network clients.
# Verify installed NVIDIA driver version on Linux
nvidia-smi --query-gpu=driver_version --format=csv,noheader
# Verify installed NVIDIA driver version on Windows (PowerShell)
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $_.DeviceName -like "*NVIDIA*" } | Select-Object DeviceName, DriverVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
