CVE-2016-1846

HIGH

NVIDIA Graphics Drivers <10.11.5 - RCE/DoS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1846. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a race condition in the nvCommandQueue::GetHandleIndex method in GeForce.kext to achieve a NULL pointer dereference, leading to kernel RIP control. It maps the NULL page in userspace and races IOServiceClose with an IOKit call to trigger the vulnerability.

Description

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference and memory corruption) via a crafted app.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/39920

View Code ZIP pw:eip

This exploit leverages a race condition in the nvCommandQueue::GetHandleIndex method in GeForce.kext to achieve a NULL pointer dereference, leading to kernel RIP control. It maps the NULL page in userspace and races IOServiceClose with an IOKit call to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Apple macOS 10.11.4 with NVIDIA GeForce.kext

No auth needed

Prerequisites: macOS 10.11.4 with NVIDIA GeForce.kext · Ability to execute code on the target system

MITRE ATT&CK