ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-24191 NVIDIA Display Driver TOCTOU Race Condition Enables Privilege Escalation on Windows

A brief summary of CVE-2026-24191, a high severity TOCTOU race condition in the NVIDIA Display Driver for Windows that can lead to privilege escalation and code execution. Includes patch details across all affected driver branches and vGPU software.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

Quick Look: CVE-2026-24191 NVIDIA Display Driver TOCTOU Race Condition Enables Privilege Escalation on Windows
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in the NVIDIA Display Driver for Windows lets a local attacker with low privileges manipulate a resource between its validation and use, opening the door to privilege escalation into kernel mode. Given that NVIDIA GPUs are ubiquitous across enterprise workstations, data science environments, and virtualized infrastructure running vGPU software, the blast radius of CVE-2026-24191 extends well beyond gaming rigs.

Technical Information

CVE-2026-24191 is classified under CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. This vulnerability class arises when software checks the state of a resource at one point in its execution, then uses that resource at a later point, but the resource can be modified by a concurrent actor during the gap between those two operations. In the NVIDIA Display Driver, this means the driver performs a validation step on some resource or parameter, then proceeds to use it under the assumption that the validation still holds. An attacker who can modify the resource during that window effectively bypasses the check entirely.

CVSS Analysis

The CVSS v3.1 vector is AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 7.8 (High).

Breaking this down:

  • Attack Vector: Local (AV:L) means the attacker needs local access to the target system. Remote exploitation is not possible.
  • Attack Complexity: High (AC:H) reflects the inherent difficulty of reliably winning a race condition. The attacker must precisely time their manipulation to fall within the window between check and use.
  • Privileges Required: Low (PR:L) indicates that a standard, unprivileged user account is sufficient to attempt exploitation.
  • User Interaction: None (UI:N) means no action from a victim user is needed.
  • Scope: Changed (S:C) is the most significant indicator here. It means a successful exploit impacts resources beyond the vulnerable component itself. For a kernel mode display driver, this translates to breaking out of the attacker's privilege boundary and affecting the broader operating system kernel.
  • Confidentiality, Integrity, Availability: all High confirms the full range of impact: reading kernel memory, corrupting kernel data structures, and crashing the system.

A supplementary CVSS v4.0 vector from third party analysis (AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) corroborates the local attack surface and high impact profile while noting that attack prerequisites (AT:P) are present, consistent with the race condition timing requirements.

Attack Flow

The exploitation of this vulnerability would follow a general pattern:

  1. Establish local code execution. The attacker gains a foothold on a Windows system running a vulnerable NVIDIA display driver. This could be through a legitimate low privilege user account, compromised credentials, or malware that has achieved initial access through another vector.

  2. Identify the race window. The attacker targets the specific driver operation where a resource is checked and then used with a gap between the two operations. Because the driver is a closed source kernel mode component, identifying this window would require reverse engineering of the driver binary.

  3. Trigger the race condition. The attacker crafts a concurrent operation that modifies the checked resource during the race window. On multi core systems, attackers can improve their odds of winning the race by manipulating thread scheduling, CPU affinity, or system load to widen the window. Multiple attempts may be necessary given the high attack complexity.

  4. Achieve impact. Because the driver operates in kernel mode, winning this race allows the attacker to influence kernel mode execution with attacker controlled data that has bypassed the validation step. Depending on the specific resource being manipulated, the outcomes include:

    • Denial of service by crashing the driver or triggering a system blue screen
    • Privilege escalation by executing code in kernel context
    • Information disclosure by reading kernel memory
    • Data tampering by corrupting kernel data structures
    • Arbitrary code execution with SYSTEM level privileges

Enterprise Risk Context

Enterprise exposure concentrates on endpoints where untrusted local users or code can race driver operations. This includes shared workstations, virtual desktop infrastructure (VDI) environments using vGPU, and any system where an attacker has achieved initial access and is looking to escalate privileges. The scope change in the CVSS vector makes this particularly relevant for environments where containment boundaries (such as user mode isolation) are a critical security control.

Patch Information

NVIDIA addressed CVE-2026-24191 in its May 2026 GPU Display Driver Security Bulletin (advisory ID 5821), initially published on May 19, 2026 and revised through May 21 to correct driver version errors. Because the NVIDIA GPU display driver is a closed source, proprietary kernel mode component, the fix is delivered exclusively through updated driver binaries. There are no public diffs or source code patches to inspect.

The fix itself would involve eliminating the race window. Standard approaches for resolving TOCTOU conditions include acquiring a lock before the check and holding it through the use, performing an atomic check and use operation, or re validating the resource at the point of use.

Patched Driver Versions

Since CVE-2026-24191 affects only the Windows display driver, the fix spans multiple active Windows driver branches:

Product LineDriver BranchPatched Version
GeForceR595596.36
GeForce (Maxwell/Pascal/Volta only)R580582.53
NVIDIA RTX / Quadro / NVSR595596.36
NVIDIA RTX / Quadro / NVSR580582.53
NVIDIA RTX / Quadro / NVSR535539.72
TeslaR595596.36
TeslaR580582.53
TeslaR535539.72

All driver versions prior to the versions listed above within their respective branch are considered vulnerable.

vGPU Software Updates

For virtualized GPU environments, the fix is also available through vGPU Software updates:

  • vGPU 20.1: Windows guest driver 596.36, Linux guest driver 595.71.05
  • vGPU 19.5: Windows guest driver 582.53
  • vGPU 16.14: Windows guest driver 539.72
  • vGPU Manager for Azure Local / Windows Server: vGPU 20.1 with driver 596.38, vGPU 19.5 with driver 582.51

Enterprise administrators managing virtualized GPU environments should obtain these updates through the NVIDIA Licensing Portal.

Bulletin Revision History

The bulletin went through three revisions in rapid succession, which is worth tracking for change control purposes:

  • Revision 1.0 (May 19): Initial publication
  • Revision 2.0 (May 20): Corrected driver branch naming errors, removing an erroneous R570 mention and correcting R590/R595 references
  • Revision 3.0 (May 21): Fixed additional version number mistakes in the vGPU tables

The R570 driver series was confirmed to be end of life and was not patched for this bulletin. Users on that branch must migrate to a supported branch to receive the fix.

Consumer Update Note

Consumer users can download the patched drivers directly from the NVIDIA Driver Downloads page. Notably, the GeForce Game Ready Driver 596.49 (released May 12, prior to the bulletin publication on May 19) already incorporates these security fixes. Users who stay current with Game Ready updates were protected even before the formal disclosure.

Affected Systems and Versions

The vulnerability affects the NVIDIA Display Driver for Windows across the following product families and branches:

  • GeForce: All Windows driver versions prior to 596.36 on the R595 branch, and all versions prior to 582.53 on the R580 branch (Maxwell, Pascal, and Volta GPUs only)
  • NVIDIA RTX / Quadro / NVS: All Windows driver versions prior to 596.36 (R595), 582.53 (R580), or 539.72 (R535)
  • Tesla: All Windows driver versions prior to 596.36 (R595), 582.53 (R580), or 539.72 (R535)
  • vGPU Software Windows guest drivers: Versions prior to vGPU 20.1 (driver 596.36), vGPU 19.5 (driver 582.53), or vGPU 16.14 (driver 539.72)
  • vGPU Manager for Azure Local / Windows Server: Versions prior to vGPU 20.1 (driver 596.38) or vGPU 19.5 (driver 582.51)

The R570 driver branch is end of life and does not receive a patch. Systems running R570 must migrate to a supported branch.

Linux display drivers are not affected by CVE-2026-24191 specifically, though the May 2026 bulletin does address other CVEs on Linux. The Linux driver versions listed in the bulletin (595.71.05, 580.159.03, 535.309.01) address other vulnerabilities in the same bulletin.

Vendor Security History

NVIDIA operates a dedicated Product Security Incident Response Team (PSIRT) that manages vulnerability intake and publishes security bulletins on a regular cadence. Starting October 1, 2025, NVIDIA began publishing bulletins in GitHub Markdown, CSAF, and CVE formats to facilitate automated integration into vulnerability management pipelines. The May 2026 GPU Display Drivers bulletin that includes CVE-2026-24191 is part of a consolidated disclosure model where multiple CVEs are grouped into a single bulletin per product line. The same May 2026 bulletin addresses several other CVEs alongside CVE-2026-24191, and a separate April 2026 bulletin addressed vulnerabilities in NVIDIA CUDA-Q, demonstrating the regular publication cadence.

The bulletin revision history for CVE-2026-24191 (three revisions in three days to correct version number errors) suggests that while the disclosure process is mature, the complexity of tracking patched versions across numerous driver branches and product lines can introduce errors in the advisory itself. Organizations should verify they are referencing the latest revision of any NVIDIA security bulletin before making patching decisions.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization