CVE-2017-0312

high

Published 2017-02-15 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.8

Description

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscapeID 0x100008b where user provided input is used as the limit for a loop may lead to denial of service or potential escalation of privileges

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-41364 dos windows verified text · 2 KB

Google Security Research · 2017-02-15

NVIDIA Driver 375.70 - DxgkDdiEscape 0x100008b Out-of-Bounds Read/Write

text exploit Source: Exploit-DB

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985

The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the                                                                                    
limit for a loop, leading to OOB reads and writes.

The supplied PoC passes an invalid size of 0x41414141, which causes a crash in:

__int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size)
{
  __int64 i; // r11@2

  if ( user_supplied_size )
  {
    i = user_supplied_size;
    do
    {
      if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 )
        *ptr = 0;
      ptr += 3;
      --i;
    }
    while ( i );

Crashing context on Win 10 x64, driver version 375.70:

TRAP_FRAME:  ffffd000266219e0 -- (.trap 0xffffd000266219e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000
rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000
 r8=ffffd000266228a8  r9=0000000041414141 r10=ffffd00026623004
r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nvlddmkm+0x2fa50b:
fffff801`0e34a50b 418b02          mov     eax,dword ptr [r10] ds:ffffd000`26623004=????????


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41364.zip

Application impact

Vendor	Product	Versions	Fixed
nvidia	gpu_driver	`-`

References

CWEs

CWE-20

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.