PatchSiren cyber security CVE debrief
CVE-2026-24200 NVIDIA CVE debrief
A use-after-free vulnerability in NVIDIA vGPU software's virtual GPU manager allows local attackers with low privileges to potentially achieve denial of service, privilege escalation, information disclosure, data tampering, or code execution. The vulnerability stems from improper handling of stack memory in the virtual GPU manager component. With a CVSS 3.1 score of 7.0 (HIGH), this vulnerability requires local access and high attack complexity, but successful exploitation yields complete confidentiality, integrity, and availability impact. The vulnerability was disclosed by NVIDIA's PSIRT and published to NVD on May 26, 2026. Organizations using NVIDIA vGPU software should monitor for security updates from NVIDIA and apply patches when available.
- Vendor
- NVIDIA
- Product
- Virtual GPU Manager
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running NVIDIA vGPU software in virtualized environments, particularly those with multi-tenant deployments or untrusted local users. Cloud service providers, enterprises with VDI/DaaS infrastructure, and organizations using GPU virtualization for AI/ML workloads should prioritize monitoring and patching.
Technical summary
The virtual GPU manager in NVIDIA vGPU software contains a use-after-free vulnerability affecting stack memory. A local attacker with low privileges can trigger this condition, potentially leading to complete system compromise including code execution. The attack requires high complexity but no user interaction. The vulnerability is classified under CWE-416 (Use After Free).
Defensive priority
HIGH
Recommended defensive actions
- Monitor NVIDIA security advisories for vGPU software updates and apply patches when released
- Review and restrict local access to systems running NVIDIA vGPU software to authorized users only
- Assess vGPU deployments for exposure to untrusted local users or guest VMs
- Implement defense-in-depth controls including hypervisor hardening and VM isolation
- Subscribe to NVIDIA security notifications for timely update alerts
Evidence notes
CVE description confirms use-after-free in virtual GPU manager with stack memory. CVSS vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector, high complexity, low privileges required, no user interaction, and high impacts across CIA triad. CWE-416 (Use After Free) classified as primary weakness.
Official resources
-
CVE-2026-24200 CVE record
CVE.org
-
CVE-2026-24200 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
NVIDIA PSIRT disclosed this vulnerability via NVD on May 26, 2026. The vendor has published a security notice with affected product details and remediation guidance.