Rapid7, which says it discovered the flaw in the Linux graphics driver, says risk goes back to 2004.
The proof-of-concept code shows how an attacker could launch a buffer overflow and then commandeer the system, according to an advisory released Monday by security company Rapid7.
The critical flaws were found in Nvidia's Binary Graphics driver for Linux versions 8774 and 8762, and may also affect its Linux drivers for FreeBSD and Solaris, according to the advisory.
Rapid7, which discovered the flaws, said that the proprietary Linux drivers are vulnerable to a buffer overflow attack, should the user visit a malicious Web site. The attack could enable an outside to remotely run arbitrary code on the system and write arbitrary data anywhere in its memory.
Nvidia, a major graphics chipmaker that develops both proprietary and open-source drivers, is currently working on a hotfix for the drivers and hopes to have one in place within the next few days, an Nvidia representative said.
As a result, he said the company is comfortable with the processes it has in place, despite the publication of the proof-of-concept exploit code. Rapid7 said it released the code last week to demonstrate that Nvidia's Linux driver vulnerabilities are a high security risk. It said that that risk has been present in the drivers for a couple of years.
"There have been multiple public reports of this Nvidia bug on the NVNews forum and elsewhere, dating back to 2004," Rapid7 said in its advisory. "In a public posting on the NVNews forum, an Nvidia employee reported having reproduced the problem, assigned it bug ID 239065, and promised a fix would be forthcoming."
Although Nvidia made its first public acknowledgement of the problem in July, the binary driver is still vulnerable, according to Rapid7's advisory.
"It is our opinion that Nvidia's binary driver remains an unacceptable security risk based on the larger numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases," Rapid7's advisory said.
Nvidia, however, contends it fixed the bug over the summer and it was unaware of the security flaws until contacted by Rapid7 on Monday.