CVE-2023-44216

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-44216
PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/ Press/Media Coverage Third Party Advisory
https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/ Press/Media Coverage
https://blog.imaginationtech.com/reducing-bandwidth-pvric/ Press/Media Coverage
https://github.com/UT-Security/gpu-zip Third Party Advisory
https://news.ycombinator.com/item?id=37663159 Issue Tracking
https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ Press/Media Coverage
https://www.hertzbleed.com/gpu.zip/ Technical Description
https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf Exploit
https://www.w3.org/TR/filter-effects-1/ Exploit
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
OR cpe:2.3:h:amd:ryzen_7_4800u:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-10510u:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-12700k:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-8700:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:microsoft:windows_11:-:*:*:*:professional:*:*:*
cpe:2.3:h:intel:core_i7-10610u:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:microsoft:windows_11:-:*:*:*:home:*:*:*
OR cpe:2.3:h:intel:core_i7-11800h:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_3060:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:microsoft:windows_10:-:*:*:*:pro:*:*:*
OR cpe:2.3:h:amd:ryzen_5_7600x:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_2080_super:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:apple:macos:13.1:*:*:*:*:*:*:*
cpe:2.3:h:apple:m1_mac_mini:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_6:-:*:*:*:*:*:*:*
History

05 Oct 2023, 14:36

Type Values Removed Values Added
First Time Intel core I7-10510u
Intel core I7-11800h
Microsoft windows 11
Google android
Apple macos
Nvidia geforce Rtx 2080 Super
Amd ryzen 7 4800u
Apple m1 Mac Mini
Apple
Microsoft windows 10
Microsoft
Google pixel 6
Nvidia
Intel
Amd
Intel core I7-8700
Intel core I7-10610u
Canonical ubuntu Linux
Amd ryzen 5 7600x
Canonical
Intel core I7-12700k
Nvidia geforce Rtx 3060
Google
CWE CWE-203
References (MISC) https://blog.imaginationtech.com/reducing-bandwidth-pvric/ - (MISC) https://blog.imaginationtech.com/reducing-bandwidth-pvric/ - Press/Media Coverage
References (MISC) https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/ - (MISC) https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/ - Press/Media Coverage, Third Party Advisory
References (MISC) https://www.hertzbleed.com/gpu.zip/ - (MISC) https://www.hertzbleed.com/gpu.zip/ - Technical Description
References (MISC) https://github.com/UT-Security/gpu-zip - (MISC) https://github.com/UT-Security/gpu-zip - Third Party Advisory
References (MISC) https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/ - (MISC) https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/ - Press/Media Coverage
References (MISC) https://www.w3.org/TR/filter-effects-1/ - (MISC) https://www.w3.org/TR/filter-effects-1/ - Exploit
References (MISC) https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ - (MISC) https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ - Press/Media Coverage
References (MISC) https://news.ycombinator.com/item?id=37663159 - (MISC) https://news.ycombinator.com/item?id=37663159 - Issue Tracking
References (MISC) https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf - (MISC) https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf - Exploit
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
CPE cpe:2.3:h:intel:core_i7-10610u:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-8700:-:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
cpe:2.3:o:microsoft:windows_11:-:*:*:*:home:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_2080_super:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
cpe:2.3:h:apple:m1_mac_mini:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:13.1:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11:-:*:*:*:professional:*:*:*
cpe:2.3:h:nvidia:geforce_rtx_3060:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-11800h:-:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_6:-:*:*:*:*:*:*:*
cpe:2.3:h:amd:ryzen_5_7600x:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-12700k:-:*:*:*:*:*:*:*
cpe:2.3:h:intel:core_i7-10510u:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:-:*:*:*:pro:*:*:*
cpe:2.3:h:amd:ryzen_7_4800u:-:*:*:*:*:*:*:*

03 Oct 2023, 05:15

Type Values Removed Values Added
References
  • (MISC) https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/ -
Summary PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin. PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.

27 Sep 2023, 15:19

Type Values Removed Values Added
New CVE
Information

Published : 2023-09-27 15:19

Updated : 2024-02-28 20:33

NVD link : CVE-2023-44216

Mitre link : CVE-2023-44216

CVE.ORG link : CVE-2023-44216

JSON object : View

Products Affected

apple

  • macos
  • m1_mac_mini

intel

  • core_i7-10610u
  • core_i7-11800h
  • core_i7-8700
  • core_i7-12700k
  • core_i7-10510u

nvidia

  • geforce_rtx_3060
  • geforce_rtx_2080_super

microsoft

  • windows_10
  • windows_11

canonical

  • ubuntu_linux

amd

  • ryzen_7_4800u
  • ryzen_5_7600x

google

  • android
  • pixel_6
CWE
CWE-203

Observable Discrepancy


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024