Security Bulletin: Tegra Linux Kernel Driver Vulnerabilities

Updated 09/29/2021 01:03 PM

Tegra Linux Kernel Driver Vulnerabilities









Go to NVIDIA Product Security.

Vulnerability Description:

Vulnerabilities found in NVIDIA Tegra kernel drivers could allow a local attacker to escalate privileges or achieve arbitrary kernel code execution.

Exploit Scope and Risk:

Certain Linux kernel Tegra driver interfaces performed insufficient input validation, potentially resulting in writes to unintended kernel addresses. This could lead to a denial of service (e.g. kernel panic), escalation of privilege, or arbitrary code execution in the kernel.

The CVSS Risk assessment is identical for all CVEs listed in this bulletin as listed below.

CVSS Base Score - 6.6

Exploitability sub-score - 2.7

Access Vector: Local

Access Complexity: Medium

Authentication: Single

Impact sub-score - 10.0

Confidentiality Impact: Complete

Integrity Impact: Complete

Availability Impact: Complete

CVSS temporal sub-score - 3.5

Exploitability: Proof of concept code

Remediation Level: Official Fix

Report Confidence: Confirmed

CVSS Environmental Score - [determined by user]

NVIDIA's risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. We recommend consulting a local security or IT professional to evaluate the risk of your specific configuration. NVIDIA doesn't know of any exploits to these issues at this time.

Vulnerable Configurations:

These vulnerabilities affect platforms running Linux on Tegra K1 and Tegra X1 processors.

Access to the affected device nodes may require elevated privileges, depending on system configuration, including Linux and SELinux permissions.

Vulnerability Discovery:

The vulnerabilities were reported to the Android security team at Google, who informed NVIDIA.

Discovery of CVE-2016-2434, CVE-2016-2435, CVE-2016-2436, CVE-2016-2445, CVE-2016-2446 is credited to Jianqiang Zhao (@jianqiangzhao) and pjf ( of IceSword Lab, Qihoo 360 Technology Co. Ltd. CVE-2016-2437 is credit to Yuan-Tsung Lo, Lubo Zhang, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team.


NVIDIA recommends that users upgrade to patched software. Refer to the table below for recommended software updates.


Customers may consider any of the following steps to help further mitigate against these vulnerabilities:

  • Restrict access to kernel device nodes via system access control policies (DAC, MAC).

  • On Android devices:

  1. Don't install apps from unknown sources, and keep Verify Apps enabled.

  2. Avoid unlocking the bootloader or rooting your device, as these actions may increase risk of device compromise.

Is this answer helpful?

Live Chat

Chat online with one of our support agents



Contact Support for assistance


Ask a Question