Nvidia Developers eliminated three vulnerabilities as part of GeForce Experience. Bugs could execute arbitrary code, escalate privileges, gain access to confidential information, or provoke a denial of service (DoS).
The vulnerabilities were found in all versions of GeForce Experience up to 126.96.36.199 and posed a threat to Windows systems. Fortunately, all vulnerabilities imply that attackers already have access to the system as a local user. That is, these problems cannot be exploited remotely. However, it is still possible to abuse them, especially if hackers have already entered the system, and they need, for example, to increase their privileges.
The most dangerous of the three is CVE-2020-5977, which scored 8.2 out of 10 on the CVSS vulnerability rating scale. The problem is related to the work of the Helper NodeJS module and is of the uncontrolled search path type. It can be used to escalate privileges and execute arbitrary code. The same bug allows you to disable computers with a vulnerable version of GeForce Experience on board, provoking a denial of service (DoS) on the machines.
The second bug, CVE-2020-5990, was rated 7.3 on the CVSS scale and was found in the ShadowPlay component. This vulnerability can also be used to escalate privileges, provoke denial of service, and can also lead to information disclosure.
The third and "simplest" vulnerability has the identifier CVE-2020-5978 (only 3.2 on the CVSS scale). A flaw was found in the nvcontainer.exe service and can be used to escalate privileges and trigger a denial of service. However, to exploit this issue, the hacker-controlled account must already have LOCAL_SYSTEM privileges.
Users are advised to update GeForce Experience to version 188.8.131.52 as soon as possible, where all these issues have been fixed.