CVE-2015-7865 in Stereoscopic 3D driver
Summary
by MITRE
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows does not properly restrict access to the stereosvrpipe named pipe, which allows local users to gain privileges via a commandline in a number 2 command, which is stored in the HKEY_LOCAL_MACHINE explorer Run registry key, a different vulnerability than CVE-2011-4784.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2025
The vulnerability identified as CVE-2015-7865 represents a critical privilege escalation flaw within NVIDIA's Stereoscopic 3D Driver Service component. This issue affects specific versions of NVIDIA GPU drivers including R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows operating systems. The flaw resides in the nvSCPAPISvr.exe service executable which manages stereoscopic 3D functionality for NVIDIA graphics hardware. The vulnerability stems from improper access control mechanisms within the stereosvrpipe named pipe implementation, creating a security boundary that can be exploited by local attackers to elevate their privileges.
The technical implementation of this vulnerability involves the exploitation of a named pipe communication mechanism that lacks proper access restriction controls. The stereosvrpipe named pipe serves as a communication channel between different components of the Stereoscopic 3D service, but the service fails to properly validate or restrict access permissions for this pipe. This misconfiguration allows local users to manipulate the service through command-line arguments that are subsequently stored in the Windows registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key. When the system processes these registry entries during startup, the malicious commands execute with elevated privileges, effectively enabling privilege escalation from standard user level to system level access. This mechanism operates through the Windows explorer Run registry key which is designed to execute programs automatically during system startup, making it an attractive target for persistent privilege escalation attacks.
The operational impact of CVE-2015-7865 extends beyond simple privilege escalation to encompass potential system compromise and persistent access. Attackers can leverage this vulnerability to establish footholds within systems that would normally require more sophisticated exploitation techniques. The vulnerability creates a persistent backdoor mechanism since registry entries stored in the Run key ensure that malicious commands execute automatically upon system boot, maintaining access even after system reboots. The attack vector specifically targets the Windows registry modification process, which is a common persistence mechanism in malware and exploit frameworks. This vulnerability demonstrates a classic privilege escalation pattern where a service running with elevated privileges fails to properly validate input from local users, creating an attack surface that can be exploited to execute arbitrary code with system-level privileges.
From a cybersecurity perspective, this vulnerability aligns with CWE-284 Access Control Issues, specifically addressing improper access control mechanisms in named pipe implementations. The flaw also maps to ATT&CK technique T1068 Privilege Escalation, where adversaries leverage local service vulnerabilities to gain elevated system privileges. The attack chain follows a pattern common in Windows exploitation where local users manipulate service configurations through registry modifications to achieve privilege escalation. The vulnerability's relationship to CVE-2011-4784 indicates a pattern of similar privilege escalation flaws in NVIDIA's graphics driver components, suggesting systemic issues in how these services handle local user input and access control. Organizations should consider this vulnerability as part of broader Windows privilege escalation attack patterns and implement comprehensive monitoring for unauthorized registry modifications in the Run key registry locations. The remediation approach requires immediate driver updates to patched versions and implementation of registry monitoring controls to detect unauthorized modifications to system persistence mechanisms.