Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (nvidia) · only source for this CVE.
CVSS VectorVendor: nvidia
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use issue. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.
AnalysisAI
Local privilege escalation in NVIDIA Display Driver for Windows (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest/manager components) stems from a time-of-check time-of-use (TOCTOU) race condition that can be abused by a low-privileged local user. Successful exploitation may yield code execution, privilege escalation, denial of service, information disclosure, or data tampering with scope change beyond the driver's security boundary. No public exploit identified at time of analysis; EPSS is 0.01% and SSVC exploitation status is 'none', so the practical risk is contingent on local access and winning a high-complexity race.
Technical ContextAI
The flaw is a CWE-367 Time-of-Check Time-of-Use race condition within the NVIDIA kernel-mode display driver stack on Windows. TOCTOU bugs occur when a privileged component validates a resource (a handle, path, buffer, or permission state) and then operates on it later, allowing an unprivileged caller to swap or mutate the resource between the check and the use. In a kernel driver context - confirmed by the CPE coverage spanning consumer GeForce, professional RTX/Quadro/NVS, datacenter Tesla, and the NVIDIA Virtual GPU Manager and guest driver - winning the race lets a user-mode caller cause the kernel to act on attacker-controlled data, which is why the CVSS scope is Changed (S:C) and all three CIA impacts are High. The same primitive class historically appears in IOCTL handlers where user pointers or shared memory regions are re-read after validation.
RemediationAI
Apply the vendor-released patches per NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5821: upgrade GeForce, RTX/Quadro/NVS, and Tesla Windows drivers to 596.36 or later on the current branch, or to 582.53 / 539.72 on the respective maintenance branches; in virtualized deployments upgrade NVIDIA Virtual GPU Manager and guest drivers to versions beyond vGPU 16.13 (guest 539.64), vGPU 19.4 (manager/guest 582.16), and vGPU 20.0 (manager 595.94 / guest 595.97). Until patching is complete, compensating controls include restricting interactive and remote-code-execution access on systems with the vulnerable driver (since exploitation requires a local low-privileged account), tightening application allowlisting to block unauthorized binaries that could spawn race-window threads, and in vGPU/VDI environments isolating untrusted tenants onto patched hosts first - these reduce exposure but do not eliminate it for any user who can already run code locally. Disabling the GPU driver is generally not a viable workaround for systems that depend on hardware acceleration; downgrading to an older branch is not an alternative because the older branches are themselves in scope.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31931
GHSA-2439-7mhv-329q