ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-24200 — NVIDIA vGPU Manager Use After Free Enables VM Escape

A short review of CVE-2026-24200, a high severity use after free vulnerability in the NVIDIA Virtual GPU Manager that could allow a guest VM to compromise the hypervisor host. Includes patch details and affected version information.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

Brief Summary: CVE-2026-24200 — NVIDIA vGPU Manager Use After Free Enables VM Escape
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the NVIDIA Virtual GPU Manager can allow a malicious guest VM to cross the virtualization boundary and compromise the hypervisor host, putting every co-tenant on the same physical GPU at risk. For organizations running multi-tenant GPU virtualized infrastructure, which now spans a significant portion of enterprise data centers and cloud environments, CVE-2026-24200 represents a meaningful threat to the isolation guarantees that underpin their security model.

NVIDIA's vGPU technology enables multiple virtual machines to share a single physical GPU, and it is widely deployed across VDI, AI/ML training, and cloud computing workloads. With NVIDIA commanding an estimated 80%+ share of the GPU market and the data center GPU market projected to reach $34.73 billion in 2026, the blast radius of a vulnerability in the vGPU Manager is substantial.

Technical Information

Root Cause: Use After Free in Stack Memory

CVE-2026-24200 is classified under CWE-416 (Use After Free), a memory safety flaw where software references memory after it has been freed. In this case, the vulnerability resides in the NVIDIA Virtual GPU Manager, the hypervisor side component that mediates access between guest virtual machines and the physical GPU hardware. The specific use after free condition targets stack memory, a particularly sensitive memory region that stores function call frames, return addresses, and local variables.

When stack memory is freed but subsequently referenced through a dangling pointer, the memory region may be reallocated for a different purpose. An attacker who can influence the content of the reallocated region can then manipulate the program's execution flow when the original code dereferences the stale pointer. This mechanism enables the full range of impacts described in the advisory: denial of service, escalation of privileges, information disclosure, data tampering, and code execution.

CVSS Vector Breakdown

The CVSS v3.1 vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

CVSS MetricValueImplication
Attack Vector (AV)LocalAttacker needs local access, typically through a guest VM on the hypervisor
Attack Complexity (AC)LowNo special conditions required; straightforward to exploit once access is obtained
Privileges Required (PR)LowMinimal privileges needed on the guest VM to trigger the flaw
User Interaction (UI)NoneNo user interaction required on the host or hypervisor side
Scope (S)ChangedImpact crosses a trust boundary from guest VM to the hypervisor host
Confidentiality (C)HighComplete information disclosure possible on the hypervisor
Integrity (I)HighComplete data tampering possible on the hypervisor
Availability (A)HighComplete denial of service possible on the hypervisor

The Scope: Changed metric is the critical detail here. It indicates that the vulnerability allows a guest VM to impact the hypervisor host, crossing a fundamental trust boundary in virtualized environments. This transforms what would otherwise be a guest level privilege escalation into a full hypervisor compromise.

It is worth noting the scoring discrepancy across different sources. NVIDIA assigned a base score of 7.0, while Tenable and the NVD assessed it at 8.8. Both fall in the "High" severity range, but the difference reflects varying assessments of the CVSS vector components. The Tenable Vulnerability Priority Rating (VPR) of 5.9 (Medium) factors in threat intelligence context, including the current absence of known exploitation, which moderates the real world risk rating.

Attack Flow

In a typical exploitation scenario, the attack would proceed as follows:

  1. Initial Access: An attacker gains access to a guest virtual machine running on a hypervisor with the NVIDIA vGPU Manager. This could be a legitimate tenant in a multi-tenant cloud environment or a compromised VM.

  2. Trigger the Use After Free: The attacker issues crafted GPU commands through the vGPU virtualization layer. These commands are designed to trigger the use after free condition in the Virtual GPU Manager's stack memory handling. Because the vGPU Manager processes these commands in the hypervisor's privileged context, the memory corruption occurs at the hypervisor level.

  3. Exploit the Dangling Pointer: Once the stack memory is freed and reallocated, the attacker manipulates the content of the reallocated memory region. When the vGPU Manager dereferences the stale pointer, it operates on attacker controlled data.

  4. Achieve Impact: Depending on the attacker's objective, this could result in arbitrary code execution with hypervisor level privileges, access to other tenant VMs' memory, modification of host level data, or a crash of the hypervisor (denial of service to all hosted VMs).

The specific GPU commands and code paths needed to trigger the vulnerability are not publicly documented, and no proof of concept exploit code has been published as of the date of this analysis.

Patch Information

NVIDIA addressed CVE-2026-24200 in its Security Bulletin: NVIDIA GPU Display Drivers, May 2026 (bulletin ID 5821), initially released on May 19, 2026, and revised through May 21, 2026. This is a closed source, vendor distributed binary patch; there is no public source code diff or commit to inspect, as is typical for proprietary NVIDIA driver updates.

An important detail: CVE-2026-24200 is remediated only in the R595 and R580 driver branches. The older R535 long term support branch does not include a fix for this specific CVE, which is a critical consideration for administrators running legacy vGPU deployments.

Virtual GPU Manager (Hypervisor Side)

XenServer, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu:

Driver BranchAffected vGPU SW / DriverFixed vGPU SW / Driver
R595≤ 20.0 / 595.58.0220.1 / 595.71.03
R580≤ 19.4 / 580.126.0819.5 / 580.159.01

Azure Local, Windows Server:

Driver BranchAffected vGPU SW / DriverFixed vGPU SW / Driver
R595≤ 20.0 / 595.9420.1 / 596.38
R580≤ 19.4 / 582.1619.5 / 582.51

vGPU Guest Drivers

Windows:

Driver BranchAffected vGPU SW / DriverFixed vGPU SW / Driver
R595≤ 20.0 / 595.9720.1 / 596.36
R580≤ 19.4 / 582.1619.5 / 582.53

Linux:

Driver BranchAffected vGPU SW / DriverFixed vGPU SW / Driver
R595≤ 20.0 / 595.58.0320.1 / 595.71.05
R580≤ 19.4 / 580.126.0919.5 / 580.159.03

NVIDIA Cloud Gaming

For Cloud Gaming environments (Virtual GPU Manager on RHEL KVM and VMware vSphere), the fix ships in the April 2026 Release with driver version 595.71.03, replacing the vulnerable March 2026 release (driver 595.58.02).

Distribution Channels

Updated Virtual GPU Manager packages are distributed through the NVIDIA Licensing Portal. Standard GPU display driver updates are available from the NVIDIA Driver Downloads page.

Remediation Notes

NVIDIA has confirmed that no workarounds are available. Driver updates are the sole mitigation path. Organizations should also note that CVE-2026-24200 is one of 15 CVEs addressed in the May 2026 bulletin. Applying the complete set of fixes is strongly recommended, particularly since CVE-2026-24187 (CVSS 8.8, use after free in the Linux Display Driver) represents a higher severity flaw in the same bulletin.

For organizations that cannot immediately patch, the following compensating controls can reduce exposure, though they do not remediate the underlying vulnerability:

  • Restrict GPU operations available to guest VMs where possible
  • Ensure hypervisor level memory isolation and virtualization sandboxing are properly configured
  • Deploy hypervisor level monitoring to detect unusual GPU command patterns or unexpected VM to hypervisor interactions
  • Reduce multi-tenant GPU sharing across different trust domains until patches are applied

Affected Systems and Versions

The vulnerability affects the NVIDIA Virtual GPU Manager across all supported hypervisor platforms:

vGPU Manager on XenServer, VMware vSphere, RHEL KVM, Ubuntu:

  • vGPU software version 20.0 and earlier (driver ≤ 595.58.02) on the R595 branch
  • vGPU software version 19.4 and earlier (driver ≤ 580.126.08) on the R580 branch
  • vGPU software version 16.13 and earlier (driver ≤ 535.288.01) on the R535 branch (note: no fix available for R535)

vGPU Manager on Azure Local, Windows Server:

  • vGPU software version 20.0 and earlier (driver ≤ 595.94) on the R595 branch
  • vGPU software version 19.4 and earlier (driver ≤ 582.16) on the R580 branch

vGPU Guest Driver on Windows:

  • vGPU software version 20.0 and earlier (driver ≤ 595.97) on the R595 branch
  • vGPU software version 19.4 and earlier (driver ≤ 582.16) on the R580 branch
  • vGPU software version 16.13 and earlier (driver ≤ 539.64) on the R535 branch

vGPU Guest Driver on Linux:

  • vGPU software version 20.0 and earlier (driver ≤ 595.58.03) on the R595 branch
  • vGPU software version 19.4 and earlier (driver ≤ 580.126.09) on the R580 branch
  • vGPU software version 16.13 and earlier (driver ≤ 535.288.01) on the R535 branch

The affected hypervisor platforms include XenServer, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu, Azure Local, and Windows Server.

Vendor Security History

NVIDIA maintains a formal Product Security Incident Response Team (PSIRT) that publishes security bulletins on a regular cadence. Starting October 1, 2025, NVIDIA PSIRT began publishing security bulletins on GitHub in Markdown, CSAF, and CVE formats, improving transparency and machine readable access to vulnerability data.

The vGPU Manager has a history of security vulnerabilities with similar guest to hypervisor impact patterns. A notable precedent is CVE-2025-23352, an uninitialized pointer access vulnerability in the Virtual GPU Manager that allowed a malicious guest VM to trigger access to an uninitialized pointer within the hypervisor's GPU management layer. This recurring pattern of guest to hypervisor escape vectors in the vGPU Manager suggests that the virtualization boundary between guest VMs and the GPU manager remains an area of ongoing security concern in NVIDIA's architecture.

NVIDIA vulnerabilities are regularly tracked at the national cybersecurity level; the CISA vulnerability summary for the week of January 26, 2026 referenced NVIDIA security bulletins. The May 2026 bulletin containing CVE-2026-24200 addresses 15 vulnerabilities total, including CVE-2026-24187 (CVSS 8.8), indicating that the vGPU and GPU display driver stack continues to be an active area for security research and remediation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization