Vulnerability Description
PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 22.04 |
| Amd | Ryzen 7 4800U | - |
| Intel | Core I7-10510U | - |
| Intel | Core I7-12700K | - |
| Intel | Core I7-8700 | - |
| Microsoft | Windows 11 | - |
| Intel | Core I7-10610U | - |
| Intel | Core I7-11800H | - |
| Nvidia | Geforce Rtx 3060 | - |
| Microsoft | Windows 10 | - |
| Amd | Ryzen 5 7600X | - |
| Nvidia | Geforce Rtx 2080 Super | - |
| Apple | Macos | 13.1 |
| Apple | M1 Mac Mini | - |
| Android | 13.0 | |
| Pixel 6 | - |
Related Weaknesses (CWE)
References
- https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnePress/Media CoverageThird Party Advisory
- https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-Press/Media Coverage
- https://blog.imaginationtech.com/reducing-bandwidth-pvric/Press/Media Coverage
- https://github.com/UT-Security/gpu-zipThird Party Advisory
- https://news.ycombinator.com/item?id=37663159Issue Tracking
- https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuPress/Media Coverage
- https://www.hertzbleed.com/gpu.zip/Technical Description
- https://www.hertzbleed.com/gpu.zip/GPU-zip.pdfExploit
- https://www.w3.org/TR/filter-effects-1/Exploit
- https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnePress/Media CoverageThird Party Advisory
- https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-Press/Media Coverage
- https://blog.imaginationtech.com/reducing-bandwidth-pvric/Press/Media Coverage
- https://github.com/UT-Security/gpu-zipThird Party Advisory
- https://news.ycombinator.com/item?id=37663159Issue Tracking
- https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuPress/Media Coverage
FAQ
What is CVE-2023-44216?
CVE-2023-44216 is a vulnerability with a CVSS score of 5.3 (MEDIUM). PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in...
How severe is CVE-2023-44216?
CVE-2023-44216 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-44216?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Amd Ryzen 7 4800U, Intel Core I7-10510U, Intel Core I7-12700K, Intel Core I7-8700.