Nvidia has patched three serious vulnerabilities in GeForce Experience. Bugs allowed execute arbitrary code, escalate privileges, gain access to confidential information, or provoke a denial of service (DoS).
The vulnerabilities were found in all versions of GeForce Experience up to 3.20.5.70 and posed a threat to Windows systems. Fortunately, all vulnerabilities imply that attackers already have access to the system as a local user.That is, these problems cannot be exploited remotely. However, it is still possible to abuse them, especially if hackers have already entered the system, and they need, for example, to increase their privileges.
The most dangerous of the three is CVE-2020-5977, which scored 8.2 out of 10 on the CVSS vulnerability rating scale.
The same bug allows disabling computers with a vulnerable version of GeForce Experience on board, provoking a denial of service (DoS) on the machines.
The second bug, CVE-2020-5990, was rated 7.3 on the CVSS scale and was found in the ShadowPlay component.
The third and “simplest” vulnerability has the identifier CVE-2020-5978 (only 3.2 on the CVSS scale).
Users are advised to update GeForce Experience to version 3.20.5.70 as soon as possible, as in this version all these issues have been fixed.
I must note that this is not the first vulnerability in GeForce Experience in a relatively short time. We have already mentioned that recently NVIDIA fixed a serious vulnerability in the program GeForce Experience, designed to quickly update video card drivers, optimize settings and stream gameplay.