PatchSiren cyber security CVE debrief
CVE-2026-24198 NVIDIA CVE debrief
A race condition vulnerability in NVIDIA GPU Display Driver for Linux allows an advanced attacker with high privileges to leak sensitive memory. The flaw could result in limited information disclosure, denial of service, or data tampering. The CVSS 3.1 score of 5.6 (MEDIUM) reflects local attack vector, low attack complexity, high privileges required, and high availability impact with limited confidentiality and integrity impacts. The vulnerability was published to NVD on 2026-05-26 and remains in 'Awaiting Analysis' status. NVIDIA has published security guidance via their customer help portal. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- NVIDIA
- Product
- GeForce
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running NVIDIA GPU Display Driver on Linux systems, particularly those in multi-user environments or with untrusted local users. Cloud providers and HPC environments using NVIDIA GPUs should prioritize patch assessment.
Technical summary
The vulnerability exists in NVIDIA GPU Display Driver for Linux where a race condition can be triggered to leak sensitive memory contents. Successful exploitation requires high local privileges and may lead to information disclosure, denial of service, or data tampering. The attack complexity is low but the scope is unchanged, limiting broader system impact.
Defensive priority
medium
Recommended defensive actions
- Review NVIDIA security bulletin for affected driver versions and patch availability
- Assess Linux systems running NVIDIA GPU Display Driver for exposure
- Apply vendor-provided driver updates when available
- Monitor for privilege escalation attempts by authenticated users on GPU-enabled Linux hosts
- Restrict local access to systems running vulnerable NVIDIA drivers where patching is delayed
Evidence notes
Source: NVD modified feed, NVIDIA PSIRT ([email protected]). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Vendor identification marked low confidence due to 'Custhelp' domain inference; requires review.
Official resources
-
CVE-2026-24198 CVE record
CVE.org
-
CVE-2026-24198 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
NVIDIA PSIRT disclosed this vulnerability via NVD on 2026-05-26. The vendor advisory is hosted on NVIDIA's customer support portal.