ZeroPath at Black Hat USA 2026

Brief Summary: NVIDIA Linux Display Driver CVE-2026-24187 Use After Free Vulnerability

A short review of CVE-2026-24187, a high severity use after free vulnerability in the NVIDIA Linux display driver that can lead to privilege escalation and code execution, along with patch details across multiple driver branches and vGPU components.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

Brief Summary: NVIDIA Linux Display Driver CVE-2026-24187 Use After Free Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the NVIDIA Linux display driver allows a local attacker with low privileges to potentially escalate privileges, execute arbitrary code, or cause denial of service, all without any user interaction. For organizations running NVIDIA GPUs in shared Linux environments, whether GPU compute clusters, multi tenant research workstations, or virtualized infrastructure with vGPU, this flaw (CVE-2026-24187) warrants immediate attention given its CVSS 8.8 rating and the breadth of affected driver branches.

Technical Information

CVE-2026-24187 is a use after free condition classified under CWE-416, residing in the Linux kernel mode layer of the NVIDIA display driver. Use after free vulnerabilities occur when software continues to reference memory after it has been freed. If that freed memory is subsequently reallocated and an attacker can influence its contents, they may corrupt program state or hijack execution flow.

CVSS Vector Analysis

The CVE record provides a CVSS v3.1 vector of AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H with a base score of 8.8. Breaking this down:

  • Attack Vector: Local — the attacker needs local access to the target system.
  • Attack Complexity: Low — no special conditions or race windows are required.
  • Privileges Required: Low — a standard unprivileged user account suffices.
  • User Interaction: None — no action from another user is needed.
  • Scope: Changed — exploitation can affect resources beyond the vulnerable component's own security boundary.
  • Confidentiality, Integrity, Availability: all High — full impact across all three dimensions.

The Changed scope designation is particularly noteworthy. It indicates that a successful exploit crosses a trust boundary, consistent with escalation from a low privilege user context into kernel or driver level execution.

Tenable independently scored the vulnerability at CVSS v3.0 base 7.8 using Unchanged scope (S:U), and CVSS v2 base 4.6 with partial CIA impacts. The scoring divergence centers on the scope metric, but both assessments agree on local, low complexity, low privilege exploitation with high impact.

Exploitation Scenario

In practical terms, a local user on a Linux system running an affected NVIDIA driver could trigger the use after free to achieve:

  • Denial of service: crashing the driver or the entire system.
  • Privilege escalation: gaining kernel level access from an unprivileged account.
  • Information disclosure: reading memory contents that should be inaccessible.
  • Data tampering: modifying data processed by the driver stack.
  • Code execution: running arbitrary code in a privileged context.

This is especially relevant in multi tenant environments, GPU compute clusters, and any Linux deployment where multiple users share GPU resources or where GPU accelerated workloads run under non root service accounts. A compromised process or a malicious local user could leverage this flaw to break out of their privilege boundary.

Additional Context

The vulnerability was credited to researcher Yegor Vasilenko. Because NVIDIA's kernel mode GPU driver is proprietary and closed source, no source code diff or commit is publicly available. The fix is delivered exclusively through updated binary driver packages.

CVE-2026-24187 only affects Linux drivers. It does not appear in any of the Windows specific CVE remediation tables in NVIDIA's May 2026 bulletin.

SourceCVSS VersionVectorBase ScoreNotes
CVE Recordv3.1AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H8.8Changed scope
Tenablev3.0AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H7.8Unchanged scope
Tenablev2AV:L/AC:L/Au:N/C:P/I:P/A:P4.6Partial impacts

Patch Information

NVIDIA officially patched CVE-2026-24187 as part of its May 2026 GPU Display Driver Security Bulletin (answer ID 5821), initially published on May 19, 2026, and revised through May 21 to correct several driver version errors in the tables.

Standalone Linux GPU Display Driver (GeForce, NVIDIA RTX/Quadro/NVS, Tesla)

Driver BranchAffected VersionsFixed Version
R595All prior to 595.71.05595.71.05
R580All prior to 580.159.03580.159.03
R535All prior to 535.309.01535.309.01

NVIDIA vGPU Software: Linux Guest Driver

vGPU Software VersionAffected DriverFixed vGPU / Driver
Up to 20.0595.58.0320.1 / 595.71.05
Up to 19.4580.126.0919.5 / 580.159.03
Up to 16.13535.288.0116.14 / 535.309.01

NVIDIA vGPU Manager (XenServer, VMware vSphere, RHEL KVM, Ubuntu)

vGPU Software VersionAffected DriverFixed vGPU / Driver
Up to 20.0595.58.0220.1 / 595.71.03
Up to 19.4580.126.0819.5 / 580.159.01
Up to 16.13535.288.0116.14 / 535.309.01

NVIDIA Cloud Gaming Linux Guest Driver and vGPU Manager are also patched to the same driver versions shown above under the "April 2026 Release" label via the NVIDIA Licensing Portal.

R570 branch end of life: NVIDIA confirmed to GamingOnLinux that the R570 branch has reached end of life status and will not receive a security fix for CVE-2026-24187. Users still on R570 must migrate to a supported branch (R535, R580, or R595) to obtain the patch.

Consumer users can obtain updated drivers through the NVIDIA Driver Downloads page. Enterprise and vGPU customers must retrieve updates through the NVIDIA Licensing Portal. Tenable has published Nessus plugin 316514 (published May 22, 2026) to detect unpatched Linux systems via self reported driver version numbers.

Affected Systems and Versions

CVE-2026-24187 affects Linux only. The following components and version ranges are vulnerable:

Standalone Linux Display Drivers:

  • R595 branch: all versions prior to 595.71.05
  • R580 branch: all versions prior to 580.159.03
  • R535 branch: all versions prior to 535.309.01
  • R570 branch: all versions (end of life, no fix available; migration required)

These apply across GeForce, NVIDIA RTX, Quadro, NVS, and Tesla product lines on Linux.

vGPU Guest Drivers (Linux):

  • vGPU software up to 20.0 with driver 595.58.03
  • vGPU software up to 19.4 with driver 580.126.09
  • vGPU software up to 16.13 with driver 535.288.01

Virtual GPU Manager:

  • vGPU software up to 20.0 with driver 595.58.02
  • vGPU software up to 19.4 with driver 580.126.08
  • vGPU software up to 16.13 with driver 535.288.01

Windows display drivers are not affected by this CVE.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization