CVE-2023-44216

moderate-risk

Published 2023-09-27

PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.

Do I need to act?

0.49% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (17)

Ubuntu Linux

Ryzen 7 4800U

Core I7-10510U

Core I7-12700K

Core I7-8700

Windows 11

Core I7-10610U

Windows 11

Core I7-11800H

Geforce Rtx 3060

Windows 10

Ryzen 5 7600X

Geforce Rtx 2080 Super

Macos

M1 Mac Mini

Android

Pixel 6

Affected Vendors

Microsoft Apple Intel Google Canonical Nvidia Amd

References (18)

Press/Media Coverage https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulne...

Press/Media Coverage https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-...

Press/Media Coverage https://blog.imaginationtech.com/reducing-bandwidth-pvric/

Third Party Advisory https://github.com/UT-Security/gpu-zip

Issue Tracking https://news.ycombinator.com/item?id=37663159

Press/Media Coverage https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpu...

Technical Description https://www.hertzbleed.com/gpu.zip/

Exploit https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf

Exploit https://www.w3.org/TR/filter-effects-1/