CVE-2023-44216

PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.
References
Link Resource
https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/ Press/Media Coverage Third Party Advisory
https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/ Press/Media Coverage
https://blog.imaginationtech.com/reducing-bandwidth-pvric/ Press/Media Coverage
https://github.com/UT-Security/gpu-zip Third Party Advisory
https://news.ycombinator.com/item?id=37663159 Issue Tracking
https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ Press/Media Coverage
https://www.hertzbleed.com/gpu.zip/ Technical Description
https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf Exploit
https://www.w3.org/TR/filter-effects-1/ Exploit
https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/ Press/Media Coverage Third Party Advisory
https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/ Press/Media Coverage
https://blog.imaginationtech.com/reducing-bandwidth-pvric/ Press/Media Coverage
https://github.com/UT-Security/gpu-zip Third Party Advisory
https://news.ycombinator.com/item?id=37663159 Issue Tracking
https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ Press/Media Coverage
https://www.hertzbleed.com/gpu.zip/ Technical Description
https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf Exploit
https://www.w3.org/TR/filter-effects-1/ Exploit
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
OR cpe:2.3:h:amd:ryzen_7_4800u:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-10510u:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-12700k:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-8700:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:microsoft:windows_11:-:*:*:*:professional:*:*:*
cpe:2.3:h:intel:core_i7-10610u:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:microsoft:windows_11:-:*:*:*:home:*:*:*
OR cpe:2.3:h:intel:core_i7-11800h:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_3060:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:microsoft:windows_10:-:*:*:*:pro:*:*:*
OR cpe:2.3:h:amd:ryzen_5_7600x:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_2080_super:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:apple:macos:13.1:*:*:*:*:*:*:*
cpe:2.3:h:apple:m1_mac_mini:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_6:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:25

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-27 15:19

Updated : 2024-11-21 08:25


NVD link : CVE-2023-44216

Mitre link : CVE-2023-44216

CVE.ORG link : CVE-2023-44216


JSON object : View

Products Affected

nvidia

  • geforce_rtx_3060
  • geforce_rtx_2080_super

canonical

  • ubuntu_linux

google

  • android
  • pixel_6

microsoft

  • windows_10
  • windows_11

intel

  • core_i7-12700k
  • core_i7-10510u
  • core_i7-11800h
  • core_i7-10610u
  • core_i7-8700

amd

  • ryzen_5_7600x
  • ryzen_7_4800u

apple

  • macos
  • m1_mac_mini
CWE
CWE-203

Observable Discrepancy