CVE-2022-34670: 
Bottlerocket vulnerability analysis and mitigation

NVIDIA GPU Display Driver for Linux contains a vulnerability (CVE-2022-34670) in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. The vulnerability was discovered in 2022 and affects multiple versions of NVIDIA GPU drivers (NVIDIA Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-197 (Numeric Truncation Error) and CWE-681 (Incorrect Conversion between Numeric Types). The vulnerability specifically affects the kernel mode layer handler and involves improper handling of numeric type conversions (NVD).

The exploitation of this vulnerability can lead to denial of service conditions or information disclosure in affected systems. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the system when exploited by an unprivileged local user (NVIDIA Advisory).

NVIDIA has released security updates to address this vulnerability across multiple driver branches. For Linux systems, the fixed versions are: R525 (525.60.11), R515 (515.86.01), R510 (510.108.03), R470 (470.161.03), R450 (450.216.04), and R390 (390.157). Users are advised to update to these or later versions to mitigate the vulnerability (NVIDIA Advisory, Debian LTS).