Skip to main content

NVIDIA Display Driver CVE-2026-24191

| EUVDEUVD-2026-31931 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-26 nvidia GHSA-2439-7mhv-329q
7.8
CVSS 3.1 · Vendor: nvidia
Share

Severity by source

Vendor (nvidia) PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (nvidia) · only source for this CVE.

CVSS VectorVendor: nvidia

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:06 vuln.today
CVE Published
May 26, 2026 - 17:23 nvd
HIGH 7.8

DescriptionCVE.org

NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use issue. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.

AnalysisAI

Local privilege escalation in NVIDIA Display Driver for Windows (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest/manager components) stems from a time-of-check time-of-use (TOCTOU) race condition that can be abused by a low-privileged local user. Successful exploitation may yield code execution, privilege escalation, denial of service, information disclosure, or data tampering with scope change beyond the driver's security boundary. No public exploit identified at time of analysis; EPSS is 0.01% and SSVC exploitation status is 'none', so the practical risk is contingent on local access and winning a high-complexity race.

Technical ContextAI

The flaw is a CWE-367 Time-of-Check Time-of-Use race condition within the NVIDIA kernel-mode display driver stack on Windows. TOCTOU bugs occur when a privileged component validates a resource (a handle, path, buffer, or permission state) and then operates on it later, allowing an unprivileged caller to swap or mutate the resource between the check and the use. In a kernel driver context - confirmed by the CPE coverage spanning consumer GeForce, professional RTX/Quadro/NVS, datacenter Tesla, and the NVIDIA Virtual GPU Manager and guest driver - winning the race lets a user-mode caller cause the kernel to act on attacker-controlled data, which is why the CVSS scope is Changed (S:C) and all three CIA impacts are High. The same primitive class historically appears in IOCTL handlers where user pointers or shared memory regions are re-read after validation.

RemediationAI

Apply the vendor-released patches per NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5821: upgrade GeForce, RTX/Quadro/NVS, and Tesla Windows drivers to 596.36 or later on the current branch, or to 582.53 / 539.72 on the respective maintenance branches; in virtualized deployments upgrade NVIDIA Virtual GPU Manager and guest drivers to versions beyond vGPU 16.13 (guest 539.64), vGPU 19.4 (manager/guest 582.16), and vGPU 20.0 (manager 595.94 / guest 595.97). Until patching is complete, compensating controls include restricting interactive and remote-code-execution access on systems with the vulnerable driver (since exploitation requires a local low-privileged account), tightening application allowlisting to block unauthorized binaries that could spawn race-window threads, and in vGPU/VDI environments isolating untrusted tenants onto patched hosts first - these reduce exposure but do not eliminate it for any user who can already run code locally. Disabling the GPU driver is generally not a viable workaround for systems that depend on hardware acceleration; downgrading to an older branch is not an alternative because the older branches are themselves in scope.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Share

CVE-2026-24191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy