CVE-2024-0107 Overview
CVE-2024-0107 affects the NVIDIA GPU Display Driver for Windows. The flaw resides in the user mode layer, where an unprivileged local user can trigger an out-of-bounds read [CWE-125]. Successful exploitation can lead to code execution, denial of service, privilege escalation, information disclosure, and data tampering. The vulnerability impacts a wide range of NVIDIA products, including GeForce, Quadro, RTX, Tesla, Virtual GPU, and Cloud Gaming installations on Windows hosts.
Critical Impact
A local, low-privileged attacker on a Windows system running an affected NVIDIA driver can read memory beyond intended bounds, potentially achieving code execution and privilege escalation.
Affected Products
- NVIDIA GPU Display Driver for Windows (GeForce, Quadro, RTX, Tesla branches)
- NVIDIA Virtual GPU software on Windows
- NVIDIA Cloud Gaming components on Windows
Discovery Timeline
- 2024-08-08 - CVE-2024-0107 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-0107
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the user mode layer of the NVIDIA GPU Display Driver for Windows. User mode driver components expose interfaces that accept buffers and indices from calling processes. When the driver fails to validate the size or offset of incoming data, it reads memory outside the intended buffer boundary.
Because the affected logic runs in the context of a process interacting with the GPU driver, an unprivileged regular user can reach the vulnerable code path. NVIDIA classifies the impact as including code execution, denial of service, escalation of privileges, information disclosure, and data tampering, indicating the bounds violation can be steered into adjacent structures that influence control flow.
Root Cause
The root cause is missing or insufficient bounds checking on input handled by the user mode driver layer. A length, index, or offset value derived from caller-controlled data is used to dereference memory without validation against the actual allocation size, producing a read past the end of the buffer.
Attack Vector
Exploitation requires local access with low privileges and no user interaction. An attacker executes code on the host as a standard user and issues crafted requests to the NVIDIA user mode driver. The out-of-bounds read can leak memory contents used to bypass mitigations such as ASLR, and when combined with adjacent corruption primitives may enable code execution at higher privilege. EPSS data indicates a low probability of opportunistic exploitation, but the local attack surface is broad given the driver's ubiquity on Windows workstations. No verified proof-of-concept code is published; see the Talos Intelligence Vulnerability Report for technical details.
Detection Methods for CVE-2024-0107
Indicators of Compromise
- Unexpected crashes or watchdog events from nvlddmkm.sys or NVIDIA user mode driver DLLs such as nvwgf2umx.dll shortly after a non-admin process loads GPU resources.
- Standard user processes loading NVIDIA driver DLLs and immediately spawning unexpected child processes or performing token manipulation.
- Windows Error Reporting entries citing access violations inside NVIDIA user mode driver modules.
Detection Strategies
- Inventory installed NVIDIA driver versions across endpoints and flag hosts running versions earlier than the fixed releases listed in the NVIDIA advisory.
- Hunt for low-integrity processes opening handles to NVIDIA driver device objects followed by anomalous memory allocation or thread creation patterns.
- Correlate application crash telemetry that references NVIDIA driver modules with subsequent privilege changes on the same host.
Monitoring Recommendations
- Forward Windows Application and System event logs, WER reports, and EDR process telemetry to a central data lake for retrospective hunting.
- Monitor for non-admin users invoking GPU compute or graphics APIs in environments where such activity is not expected.
- Track driver version drift across the fleet and alert when hosts fall behind the patched baseline.
How to Mitigate CVE-2024-0107
Immediate Actions Required
- Apply the fixed NVIDIA GPU Display Driver versions documented in the vendor security bulletin to all affected Windows endpoints and virtual GPU hosts.
- Prioritize multi-user systems such as Virtual GPU hosts, Cloud Gaming infrastructure, and shared workstations where a local attacker is most likely to exist.
- Restrict interactive logon and code execution rights for non-administrative users on sensitive systems until patches are deployed.
Patch Information
NVIDIA published fixed driver versions and remediation guidance in NVIDIA Security Bulletin 5557. Administrators should update GeForce, Quadro, RTX, Tesla, Virtual GPU, and Cloud Gaming components on Windows to the versions specified in that advisory.
Workarounds
- No vendor-supplied workaround replaces the patch; apply the updated driver as soon as feasible.
- Limit local logon rights and enforce application allowlisting to reduce the population of users that can reach the user mode driver.
- On Virtual GPU and Cloud Gaming hosts, segregate tenant workloads and disable unused GPU features to shrink the exposed attack surface.
# Query installed NVIDIA driver version on Windows
wmic path win32_VideoController get name,driverversion
# PowerShell alternative
Get-CimInstance Win32_VideoController | Select-Object Name, DriverVersion, DriverDate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
