Skip to main content

NVIDIA Display Driver EUVDEUVD-2026-31925

| CVE-2026-24199 MEDIUM
Race Condition (CWE-362)
2026-05-26 nvidia GHSA-rcj6-p7vw-pm6c
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:38 vuln.today

DescriptionCVE.org

NVIDIA Display Driver for Linux contains a vulnerability in a kernel module, where a user could cause a race condition by reordering compiler or processor memory instructions. A successful exploit of this vulnerability might lead to denial of service.

AnalysisAI

Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.

Technical ContextAI

The vulnerability (CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization) exists in a kernel module component of the NVIDIA Display Driver for Linux. The root cause is inadequate memory barrier or synchronization primitive usage, allowing the compiler or CPU to reorder memory access instructions in a way that creates a time-of-check/time-of-use (TOCTOU)-style race window. Under Linux, kernel modules execute with elevated privileges, and a user-space process that can interact with the driver's IOCTL or memory-mapped interfaces may be able to trigger this window by racing concurrent operations. Affected CPE entries confirm the scope: cpe:2.3:a:nvidia:geforce, cpe:2.3:a:nvidia:rtx,_quadro,_nvs, cpe:2.3:a:nvidia:tesla, and cpe:2.3:a:nvidia:guest_driver - spanning consumer, workstation, datacenter, and virtualization driver stacks on Linux.

RemediationAI

A vendor-released patch is available per the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5821. Administrators should upgrade to the following fixed versions based on their driver branch: GeForce, RTX/Quadro/NVS, and Tesla users on the R580 branch should upgrade to 580.159.03 or later; those on the R535 long-term branch should upgrade to 535.309.01 or later; those on the R595 branch should upgrade to 595.71.05 or later. For vGPU deployments, Virtual GPU Manager and Guest Driver users on vGPU 19.x should upgrade to the post-vGPU 19.4 release (580.126.08 / 580.126.09 or later), and those on vGPU 16.x should upgrade beyond vGPU 16.13 (535.288.01 or later). As a compensating control where immediate patching is not possible, restrict local interactive access to Linux systems hosting NVIDIA GPUs to trusted users only, and consider disabling GPU-accelerated workloads for untrusted user accounts - note this may impact legitimate compute workloads. In multi-tenant cloud or VDI environments, priority should be placed on the vGPU Manager and Guest Driver branches given the higher exposure surface.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

EUVD-2026-31925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy