In a security bulletin released yesterday evening NVIDIA alerted users to a critical flaw in their GeForce Experience desktop application, and its severity warrants the attention of users of this near-ubiquitous application. Thankfully the notification also comes with a fix, in the form of an update to GFE which should close off the potential vulnerability.
Vulnerability CVE-2019-5674 describes the flaw as follows:
NVIDIA GeForce Experience contains a vulnerability when ShadowPlay, NvContainer, or GameStream is enabled. When opening a file, the software does not check for hard links. This behavior may lead to code execution, denial of service, or escalation of privileges.
It stems from GFE's use of a plain text user-editable configuration file which can be modified to inject malicious code. As core features of GFE and GeForce consumer GPUs, the number of ShadowPlay, NvContainer and GameStream users likely collectively represent a significant proportion of their install base.
The vulnerability affects all versions of GeForce Experience prior to 3.18, regardless of your current Windows operating system. It's therefore recommended that you update to the newest version, available at https://www.nvidia.com/en-gb/geforce/geforce-experience/.
NVIDIA acknowledges the aid of David Yesland of Rhino Security Labs for uncovering this issue.
SOURCE: NVIDIA Security Bulletin.