CVE-2026-24190 Overview
CVE-2026-24190 is a kernel mode driver vulnerability affecting the NVIDIA Display Driver for both Windows and Linux platforms. The flaw resides in the kernel mode layer and allows a local authenticated user to cause improper access to GPU resources. The weakness is categorized as Missing Authorization [CWE-862], meaning the driver fails to enforce proper authorization checks before granting access to privileged GPU operations.
Successful exploitation can result in denial of service, escalation of privileges, information disclosure, data tampering, and code execution within the kernel context.
Critical Impact
A local low-privileged user can leverage this driver flaw to escalate privileges, execute code in the kernel, tamper with data, or trigger a denial of service on systems running affected NVIDIA Display Driver versions.
Affected Products
- NVIDIA Display Driver for Windows
- NVIDIA Display Driver for Linux
- GPU kernel mode layer component
Discovery Timeline
- 2026-05-26 - CVE-2026-24190 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-24190
Vulnerability Analysis
The vulnerability exists in the kernel mode layer of the NVIDIA Display Driver, which mediates user-mode requests for GPU resources. Because the driver runs at ring 0, any authorization gap directly exposes kernel memory and execution context to lower-privileged callers.
The weakness is classified as Missing Authorization [CWE-862]. The driver accepts requests from user space without verifying that the calling process has the rights required to perform the requested GPU operation. An attacker who can run code on the host can interact with the driver interface and trigger operations they should not be permitted to perform.
Reported impacts include denial of service, escalation of privileges, information disclosure, data tampering, and arbitrary code execution. The breadth of impact reflects the kernel-level position of the affected component.
Root Cause
The root cause is the absence of an authorization check on a code path within the kernel mode driver. The driver exposes GPU resource handling functionality to user mode without validating that the caller is entitled to invoke it. This permits a local user to reach kernel logic that should be restricted to privileged contexts.
Attack Vector
The attack vector is local. An attacker requires the ability to execute code on the target system with low privileges and no user interaction beyond their own session. The attacker opens a handle to the NVIDIA driver interface and issues crafted requests against the unprotected code path. Depending on the operation chosen, the result ranges from leaking kernel memory to writing attacker-controlled data into kernel structures, enabling privilege escalation or code execution.
No public proof-of-concept exploit is currently associated with this CVE, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-24190
Indicators of Compromise
- Unexpected loading or interaction with NVIDIA kernel driver modules (nvlddmkm.sys on Windows, nvidia.ko on Linux) by non-graphics processes.
- Kernel crashes, bug checks, or oops entries referencing NVIDIA driver components on multi-user or workstation systems.
- Local accounts spawning elevated processes or new SYSTEM/root sessions shortly after invoking GPU-related IOCTLs.
Detection Strategies
- Inventory installed NVIDIA Display Driver versions across Windows and Linux endpoints and compare against the fixed releases listed in the NVIDIA Support Article.
- Monitor for non-graphical processes opening handles to the NVIDIA driver device objects or issuing unexpected IOCTLs.
- Correlate local privilege escalation telemetry with prior GPU driver activity from the same process lineage.
Monitoring Recommendations
- Enable EDR telemetry for kernel driver load events and ioctl-level activity targeting GPU device interfaces.
- Centralize Windows Event Log and Linux auditd records covering driver interactions, kernel crashes, and privilege transitions.
- Alert on processes that hold a handle to the NVIDIA driver and subsequently spawn shells or modify protected system locations.
How to Mitigate CVE-2026-24190
Immediate Actions Required
- Apply the patched NVIDIA Display Driver version referenced in the NVIDIA Support Article to all affected Windows and Linux hosts.
- Prioritize multi-user systems, workstations handling sensitive data, and any host where untrusted users can execute code.
- Restrict interactive and remote shell access on affected systems until patching is complete.
Patch Information
NVIDIA has published a security bulletin addressing this issue. Refer to the NVIDIA Support Article for the list of fixed driver branches and download links. Confirm the deployed version meets or exceeds the fixed version for each operating system and GPU family. Authoritative references are also available in the NVD CVE-2026-24190 Details and the CVE.org Record for CVE-2026-24190.
Workarounds
- Limit local logon rights and remove interactive access for untrusted users on systems that cannot be patched immediately.
- Apply application control policies to prevent execution of untrusted binaries that could invoke the vulnerable driver path.
- For headless servers that do not require display output, evaluate whether the NVIDIA Display Driver is needed or can be replaced with a compute-only configuration.
# Configuration example: verify installed NVIDIA driver version
# Windows (PowerShell)
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $_.DeviceName -like "*NVIDIA*" } | Select-Object DeviceName, DriverVersion
# Linux
nvidia-smi --query-gpu=driver_version --format=csv,noheader
modinfo nvidia | grep ^version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
