NVIDIA addresses Spectre vulnerabilities

Subject: General Tech, Graphics Cards | January 5, 2018 - 02:59 PM |
Tagged: meltdown, spectre, geforce, quadro, NVS, nvidia, tesla, security

If you were wondering if NVIDIA products are vulnerable to some of the latest security threats, the answer is yes.  Your Shield device or GPU is not vulnerable to CVE-2017-5754, aka Meltdown, however the two variants of Spectre could theoretically be used to infect you. 

  • Variant 1 (CVE-2017-5753): Mitigations are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners on future updates to further strengthen mitigations.

  • Variant 2 (CVE-2017-5715): Mitigations are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners on future updates to further strengthen mitigations.

  • Variant 3 (CVE-2017-5754): At this time, NVIDIA has no reason to believe that Shield TV/tablet is vulnerable to this variant.

The Android based Shield tablet should be updated to Shield Experience 5.4, which should arrive before the end of the month.  Your Shield TV, should you actually still have a working on will receive Shield Experience 6.3 along the same time frame.

The GPU is a little more complex as there are several product lines and OSes which need to be dealt with.  There should be a new GeForce driver appearing early next week for gaming GPUs, with HPC cards receiving updates on the dates you can see below.

View Full Size

There is no reason to expect Radeon and Vega GPUs to suffer from these issues at this time.  Intel could learn a bit from NVIDIA's response, which has been very quick and includes ther older hardware.

Source: NVIDIA

January 5, 2018 | 03:18 PM - Posted by Anony mouse (not verified)

So all those Login GeForce Experience information "always on telemetry" Nvidia has been gathering are just introducing issues ?

What about those people that are on rolled-back driver for functionality where the new drivers break or haven't fixed issues.

January 5, 2018 | 04:00 PM - Posted by Jeremy Hellstrom

Huh?  Not quite following you there.

January 5, 2018 | 04:01 PM - Posted by NvidiaUsesCPUsAlsoForManyUses (not verified)

What About Nvidia's custom Denver cores, does this information cover Nvidia's custom Denver cores? They are different from the ARM Holdings Reference Design cores that Nvidia uses in some of its products. So maybe folks with any Tegra K1 based products need to Know about Nvidia's custom Denver cores.

These CPU companies need to be required to list their exact Make/Model/Model Number of all the CPU that they have ever offered in tabular from amd list which vulrenability that each Product Offering may be subjsct to. So the custom ARM CPU companies need to be forced to list every CPU that they have ever made and list in tabular from any vunlerabilities that these SKUs have. ARM Holdings is only responsible for their Refrence Core Designs and there are pleny of fully custom ARMv8A ISA/Other Arm Holdings ISA running designs that may be completey different under the bonnet. Designs like Apple's A series CPU cores and Nvidia's Denver cores that are fully indipendent custom designs that are engineered to execute the ARMv8A ISA. Ditto for AMD, Intel, Via for their x86 ISA based products and IBM/others for Power, powerPC, and Imagination Technologies/Other makers' MIPS ISA based CPU designs etc.

Nvidia has its Falcon(FAst Logic CONtroller) CPUs used on its GPUs and other Nvidia products and Falcon makes use the RISC-V ISA. so what about those designs as a lot of the video decoder logic that Nvidia has makes use of Nvidia's Falcon based controllers.

January 5, 2018 | 04:02 PM - Posted by NvidiaUsesCPUsAlsoForManyUses (not verified)

Edit: amd list
to: and List

January 5, 2018 | 09:18 PM - Posted by Yojimbo (not verified)

I think this is bad reporting. The article seems to be confusing the issue. Firstly it needlessly mentions GPUs and SoCs together. Secondly it implies that there are vulnerabilities with NVIDIA's GPUs without providing any evidence for it. From NVIDIA's bulletin it looks like the issue is with the display drivers. On January 3 NVIDIA released the following statement:

"NVIDIA’s core business is GPU computing. We believe our GPU hardware is immune to the reported security issue and are updating our GPU drivers to help mitigate the CPU security issue. As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations."

There's nothing in these new bulletins that contradicts that assessment. The new bulletins address exactly those issues outlined in the January 3rd bulletin: SoCs with ARM CPUs and display drivers that run on CPUs. As for AMD, AMD's SoCs are similarly affected. We'll have to see if AMD releases display driver updates with security fixes in the upcoming weeks. My guess would be that they will.

January 6, 2018 | 05:28 AM - Posted by derek euro (not verified)

nvidia runs their scheduler on the cpu instead on the gpu its the main reason as to why they have such a low tpd compared to amd

it was a suprise to say the least when they said that they werent affected or the fact that they released a statement anyways considering that they should not be affected in any way
turns out they lied once more and it will be interesting to see their "changes"

January 6, 2018 | 09:40 AM - Posted by Yojimbo (not verified)

I thought their instruction scheduling was static - being set at compile time. Sure, it's set by a CPU at compile time, but how is that going to lead to the compromise of the program's data when it is actually run on the GPU at run time? Is there something else going on? How are they especially affected by the CPU's branch prediction?

January 6, 2018 | 01:40 PM - Posted by Jim20 (not verified)

It might have to do with CUDA. It uses JIT compilation at execution, and pretty much any JIT code will be vulnerable to some level by spectre.

January 7, 2018 | 02:14 AM - Posted by Yojimbo (not verified)

OpenCL also Uses JIT:


"OpenCL programs go through two phase compilations. The first phase of compilation converts programs to Intermediate Representation (IR). The second phase takes place at runtime (also called JIT or just-in-time compilation) which translates IR to actual machine instructions of the target device. This enables programs written earlier to take advantage of new hardware features without recompilation."

January 6, 2018 | 02:28 PM - Posted by CPUcoresAreOnEveryProduct (not verified)

Nvidia has many Falcon(FAst Logic CONtrol) that run the RISC-V ISA on their GPUs doing video encoding/decoding tasks/other tasks. So there are plenty of CPUs(Controllers) on those GPU/PCIe cards running firmware based OSs that help the GPU card to function.

January 6, 2018 | 02:29 PM - Posted by CPUcoresAreOnEveryProduct (not verified)

Edit: Falcon(FAst Logic CONtrol)
to: Falcon(FAst Logic CONtroler)

January 7, 2018 | 02:00 AM - Posted by Yojimbo (not verified)


"The RISC-V Foundation says that no currently announced RISC-V CPU is vulnerable to Meltdown and Spectre and, in the wake of those bugs, stressed the importance of open-source development and a modern ISA in preventing vulnerabilities."

January 7, 2018 | 02:05 AM - Posted by Yojimbo (not verified)

To be more clear:

"As the organization points out, because Meltdown/Spectre are the result of hardware optimizations in specific CPUs, the vulnerabilities technically have nothing to do with ISAs. There are x86 CPUs that entirely lack speculative execution, after all. However, the RISC-V Foundation still notes that current RISC-V CPUs are not at risk. The most popular RISC-V CPU design, the open-source RISC-V Rocket, does not do speculative execution on memory access."

So it's likely NVIDIA's RISC-V blocks don't have the problem, but they could. However, all this pure speculation as to why NVIDIA would have the problem and AMD wouldn't is just that, pure speculation.

January 6, 2018 | 03:24 PM - Posted by iain baker (not verified)

What's with the Shield TV dig? Have I missed something? Last I heard they were still having praise rained down on them from all sides.

January 7, 2018 | 02:18 AM - Posted by Yojimbo (not verified)

The Shield TV seems to be a niche high-end product that owners are overall rather happy with. The whole article seems like an unsubstantiated attempt to dig at NVIDIA.

January 10, 2018 | 02:12 PM - Posted by Yojimbo (not verified)


“Our GPUs are immune,” Jensen Huang, chief executive of Nvidia said during an event at the Consumer Electronics Show in Las Vegas, referring to graphics processor units (GPUs), the chip maker’s key product line.

“They are not affected by these security issues.”

“Our driver is just software. Anybody who has software needs to patch,” Huang said. “I am absolutely certain our GPU is not affected. At this moment, I am absolutely certain our GPU is not affected.”

So the GPU is not affected, unlike what this article claims. The GPU is not flawed and the patches are not meant to fix flaws on the GPU. The NVIDIA driver patches are no different than any other software patches that come along to fix security issues.

Furthermore, unlike what this article states, there is reason to expect that Radeon and Vega GPUs might have to undergo similar driver updates in response to the security issues. Perhaps they won't, but we shall see. Regardless, if a driver patch does come out for AMD GPUs it will similarly be no big deal, the only difference being that the sooner such a patch comes out the better.

This article jumped the gun and made a couple of poor assumptions.

January 19, 2018 | 02:40 AM - Posted by Tutu (not verified)

I noticed a hit using the latest Nvidia drivers. Encoding time using sapphire and other GPU related encoding effects in Windows 7 Premiere Pro CC 2018 went from 1:37 upto to 1:46. It was noticeable by eye also.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.