Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24187

CVE-2026-24187: NVIDIA Linux Driver Use-After-Free Flaw

CVE-2026-24187 is a use-after-free vulnerability in NVIDIA Display Driver for Linux that enables denial of service, privilege escalation, and code execution. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-24187 Overview

CVE-2026-24187 is a use-after-free vulnerability [CWE-416] in the NVIDIA Display Driver for Linux. A local authenticated attacker with low privileges can trigger the flaw to corrupt kernel memory state. Successful exploitation can lead to denial of service, privilege escalation, information disclosure, data tampering, and arbitrary code execution. The issue affects the scope beyond the vulnerable component, meaning a compromise can impact resources managed by other security authorities on the host. NVIDIA has published a security advisory describing affected versions and fixed releases.

Critical Impact

Local attackers with low privileges can escalate to code execution, leak kernel memory, or crash systems running affected NVIDIA Linux display drivers.

Affected Products

  • NVIDIA Display Driver for Linux (see NVIDIA Support Answer 5821 for affected branches)
  • Linux systems with NVIDIA GPU kernel module loaded
  • Workstation, data center, and virtualized GPU deployments using the NVIDIA Linux driver

Discovery Timeline

  • 2026-05-26 - CVE-2026-24187 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-24187

Vulnerability Analysis

The vulnerability is a use-after-free condition [CWE-416] within the NVIDIA Display Driver for Linux. Use-after-free flaws arise when a program continues to reference a memory region after it has been released back to the allocator. In a kernel driver context, the freed object may be reallocated to attacker-controlled data before the dangling pointer is dereferenced. Attackers can leverage this primitive to corrupt kernel structures, redirect control flow, or read sensitive kernel memory.

The CVSS vector indicates a local attack path requiring low privileges and no user interaction. The scope change reflects that exploitation in the driver can affect resources beyond the driver itself, including the host kernel and other user contexts. Confidentiality, integrity, and availability impacts are all rated high because successful exploitation can result in privilege escalation to kernel level.

Root Cause

The root cause is improper lifetime management of a kernel object within the display driver. The driver releases an allocation while a reference to it remains reachable through another code path. When that stale reference is later used, the underlying memory may already contain data from a subsequent allocation, producing type confusion or attacker-controlled writes inside the kernel.

Attack Vector

Exploitation requires local code execution as an unprivileged user on a system running the affected driver. The attacker issues a sequence of ioctl or device file operations against the NVIDIA character devices (such as /dev/nvidia*) to allocate, free, and reuse the vulnerable object. By racing the free with a competing allocation request, the attacker reclaims the slab slot with controlled data before the dangling pointer is dereferenced. The driver then operates on attacker-controlled memory inside ring 0, enabling escalation to root.

No verified public proof-of-concept is currently available. Refer to the NVD entry for CVE-2026-24187 and the NVIDIA advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-24187

Indicators of Compromise

  • Unexpected kernel oops or panics referencing nvidia.ko, nvidia-drm, or nvidia-modeset in dmesg and /var/log/kern.log.
  • Unprivileged processes opening /dev/nvidiactl or /dev/nvidia* and issuing large volumes of ioctl calls in short windows.
  • Sudden process privilege transitions where a non-root process spawns child processes running as UID 0 without an authorized setuid path.

Detection Strategies

  • Monitor kernel ring buffer messages for use-after-free signatures such as KASAN, slab-use-after-free, or general protection fault referencing NVIDIA driver symbols.
  • Correlate ioctl activity against NVIDIA device nodes with subsequent privilege escalation events using EDR telemetry.
  • Audit loaded kernel modules and driver versions across the fleet to identify hosts still running pre-patch NVIDIA driver branches.

Monitoring Recommendations

  • Enable auditd rules covering open, ioctl, and mmap syscalls on /dev/nvidia* device files.
  • Ship kernel logs to a centralized SIEM and alert on driver-related crashes that cluster on the same host within short intervals.
  • Track GPU driver inventory through configuration management and flag deviations from the patched baseline.

How to Mitigate CVE-2026-24187

Immediate Actions Required

  • Identify all Linux hosts running the NVIDIA Display Driver and inventory their installed versions.
  • Apply the fixed driver release listed in the NVIDIA security bulletin as soon as maintenance windows permit.
  • Restrict interactive and SSH access on GPU-equipped systems to trusted administrators while patching is in progress.

Patch Information

NVIDIA has released updated Linux display drivers that remediate CVE-2026-24187. Consult the vendor advisory at NVIDIA Support Answer 5821 for the exact fixed branches and download links. Update the kernel module and reboot affected systems so that the patched nvidia.ko is loaded.

Workarounds

  • Where patching is not yet possible, limit access to /dev/nvidia* device files using filesystem permissions or device cgroups so that only required service accounts can open them.
  • Disable the NVIDIA kernel module on hosts that do not require GPU acceleration until the update is applied.
  • Apply mandatory access controls such as SELinux or AppArmor profiles to constrain which processes can issue ioctls to the GPU driver.
bash
# Verify installed NVIDIA driver version and restrict device access
nvidia-smi --query-gpu=driver_version --format=csv,noheader

# Tighten permissions on NVIDIA device nodes (example - adjust group as needed)
chgrp video /dev/nvidia*
chmod 0660 /dev/nvidia*

# Optionally unload the driver on non-GPU workloads
sudo rmmod nvidia_drm nvidia_modeset nvidia_uvm nvidia

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.