Introduction
A use after free vulnerability in the NVIDIA Linux display driver allows a local attacker with low privileges to potentially escalate privileges, execute arbitrary code, or cause denial of service, all without any user interaction. For organizations running NVIDIA GPUs in shared Linux environments, whether GPU compute clusters, multi tenant research workstations, or virtualized infrastructure with vGPU, this flaw (CVE-2026-24187) warrants immediate attention given its CVSS 8.8 rating and the breadth of affected driver branches.
Technical Information
CVE-2026-24187 is a use after free condition classified under CWE-416, residing in the Linux kernel mode layer of the NVIDIA display driver. Use after free vulnerabilities occur when software continues to reference memory after it has been freed. If that freed memory is subsequently reallocated and an attacker can influence its contents, they may corrupt program state or hijack execution flow.
CVSS Vector Analysis
The CVE record provides a CVSS v3.1 vector of AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H with a base score of 8.8. Breaking this down:
- Attack Vector: Local — the attacker needs local access to the target system.
- Attack Complexity: Low — no special conditions or race windows are required.
- Privileges Required: Low — a standard unprivileged user account suffices.
- User Interaction: None — no action from another user is needed.
- Scope: Changed — exploitation can affect resources beyond the vulnerable component's own security boundary.
- Confidentiality, Integrity, Availability: all High — full impact across all three dimensions.
The Changed scope designation is particularly noteworthy. It indicates that a successful exploit crosses a trust boundary, consistent with escalation from a low privilege user context into kernel or driver level execution.
Tenable independently scored the vulnerability at CVSS v3.0 base 7.8 using Unchanged scope (S:U), and CVSS v2 base 4.6 with partial CIA impacts. The scoring divergence centers on the scope metric, but both assessments agree on local, low complexity, low privilege exploitation with high impact.
Exploitation Scenario
In practical terms, a local user on a Linux system running an affected NVIDIA driver could trigger the use after free to achieve:
- Denial of service: crashing the driver or the entire system.
- Privilege escalation: gaining kernel level access from an unprivileged account.
- Information disclosure: reading memory contents that should be inaccessible.
- Data tampering: modifying data processed by the driver stack.
- Code execution: running arbitrary code in a privileged context.
This is especially relevant in multi tenant environments, GPU compute clusters, and any Linux deployment where multiple users share GPU resources or where GPU accelerated workloads run under non root service accounts. A compromised process or a malicious local user could leverage this flaw to break out of their privilege boundary.
Additional Context
The vulnerability was credited to researcher Yegor Vasilenko. Because NVIDIA's kernel mode GPU driver is proprietary and closed source, no source code diff or commit is publicly available. The fix is delivered exclusively through updated binary driver packages.
CVE-2026-24187 only affects Linux drivers. It does not appear in any of the Windows specific CVE remediation tables in NVIDIA's May 2026 bulletin.
| Source | CVSS Version | Vector | Base Score | Notes |
|---|---|---|---|---|
| CVE Record | v3.1 | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.8 | Changed scope |
| Tenable | v3.0 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 | Unchanged scope |
| Tenable | v2 | AV:L/AC:L/Au:N/C:P/I:P/A:P | 4.6 | Partial impacts |
Patch Information
NVIDIA officially patched CVE-2026-24187 as part of its May 2026 GPU Display Driver Security Bulletin (answer ID 5821), initially published on May 19, 2026, and revised through May 21 to correct several driver version errors in the tables.
Standalone Linux GPU Display Driver (GeForce, NVIDIA RTX/Quadro/NVS, Tesla)
| Driver Branch | Affected Versions | Fixed Version |
|---|---|---|
| R595 | All prior to 595.71.05 | 595.71.05 |
| R580 | All prior to 580.159.03 | 580.159.03 |
| R535 | All prior to 535.309.01 | 535.309.01 |
NVIDIA vGPU Software: Linux Guest Driver
| vGPU Software Version | Affected Driver | Fixed vGPU / Driver |
|---|---|---|
| Up to 20.0 | 595.58.03 | 20.1 / 595.71.05 |
| Up to 19.4 | 580.126.09 | 19.5 / 580.159.03 |
| Up to 16.13 | 535.288.01 | 16.14 / 535.309.01 |
NVIDIA vGPU Manager (XenServer, VMware vSphere, RHEL KVM, Ubuntu)
| vGPU Software Version | Affected Driver | Fixed vGPU / Driver |
|---|---|---|
| Up to 20.0 | 595.58.02 | 20.1 / 595.71.03 |
| Up to 19.4 | 580.126.08 | 19.5 / 580.159.01 |
| Up to 16.13 | 535.288.01 | 16.14 / 535.309.01 |
NVIDIA Cloud Gaming Linux Guest Driver and vGPU Manager are also patched to the same driver versions shown above under the "April 2026 Release" label via the NVIDIA Licensing Portal.
R570 branch end of life: NVIDIA confirmed to GamingOnLinux that the R570 branch has reached end of life status and will not receive a security fix for CVE-2026-24187. Users still on R570 must migrate to a supported branch (R535, R580, or R595) to obtain the patch.
Consumer users can obtain updated drivers through the NVIDIA Driver Downloads page. Enterprise and vGPU customers must retrieve updates through the NVIDIA Licensing Portal. Tenable has published Nessus plugin 316514 (published May 22, 2026) to detect unpatched Linux systems via self reported driver version numbers.
Affected Systems and Versions
CVE-2026-24187 affects Linux only. The following components and version ranges are vulnerable:
Standalone Linux Display Drivers:
- R595 branch: all versions prior to 595.71.05
- R580 branch: all versions prior to 580.159.03
- R535 branch: all versions prior to 535.309.01
- R570 branch: all versions (end of life, no fix available; migration required)
These apply across GeForce, NVIDIA RTX, Quadro, NVS, and Tesla product lines on Linux.
vGPU Guest Drivers (Linux):
- vGPU software up to 20.0 with driver 595.58.03
- vGPU software up to 19.4 with driver 580.126.09
- vGPU software up to 16.13 with driver 535.288.01
Virtual GPU Manager:
- vGPU software up to 20.0 with driver 595.58.02
- vGPU software up to 19.4 with driver 580.126.08
- vGPU software up to 16.13 with driver 535.288.01
Windows display drivers are not affected by this CVE.
References
- NVD: CVE-2026-24187
- CVE Record: CVE-2026-24187
- Security Bulletin: NVIDIA GPU Display Drivers, May 2026
- NVIDIA Product Security
- Tenable: CVE-2026-24187
- Tenable Nessus Plugin 316514: NVIDIA Linux GPU Display Driver (May 2026)
- GamingOnLinux: NVIDIA reveal more GPU driver security flaws for May 2026
- CWE-416: Use After Free (Mondoo)
- CWE-416 Vulnerability Overview (Backslash Security)



