Nvidia: 16 CVEs Across GPU Drivers and vGPU Disclosed in Single-Day Advisory
Nvidia disclosed 16 vulnerabilities on May 26, 2026, spanning GPU Display Drivers, vGPU software, and the Transformers4Rec AI library, with seven rated High severity.
Nvidia published a coordinated batch of 16 security advisories on May 26, 2026, covering vulnerabilities across its GPU Display Drivers (Windows and Linux), vGPU software, and the Transformers4Rec AI library. The disclosure window was tightly clustered — all CVEs were published within a single hour — and the batch includes seven High-severity flaws rated CVSS 7.8 or higher, several of which could lead to code execution, privilege escalation, and information disclosure.
Display Driver flaws dominate the batch. The largest group targets the Nvidia GPU Display Driver for Linux and Windows. The most severe of these is CVE-2026-24187 (CVSS 8.8), a use-after-free vulnerability in the Linux Display Driver that could enable denial of service, privilege escalation, information disclosure, data tampering, and code execution. Four additional Display Driver CVEs — CVE-2026-24193, CVE-2026-24192, CVE-2026-24190, and CVE-2026-24194 — each carry a CVSS score of 7.8. CVE-2026-24193 affects both Windows and Linux drivers and stems from an out-of-bounds write. CVE-2026-24192 is a Linux-specific heap buffer overflow caused by an incorrect numeric type conversion. CVE-2026-24190 involves improper access to GPU resources in the kernel mode layer across both platforms. CVE-2026-24194 is a Linux kernel mode layer handler flaw involving improper permission handling.
Race conditions and memory safety issues in Linux drivers. Several Linux-specific Display Driver vulnerabilities involve concurrency and memory handling. CVE-2026-24199 (CVSS 4.7) describes a race condition in a kernel module where compiler or processor memory instruction reordering could lead to denial of service. CVE-2026-24198 (CVSS 5.6) is a separate race condition that could leak sensitive memory. CVE-2026-24196 (CVSS 7.1) is an out-of-bounds read in the Linux Display Driver, while CVE-2026-24195 (CVSS 7.1) involves improper input validation in the Unified Virtual Memory (UVM) subsystem. CVE-2026-24197 (CVSS 6.5) affects Multi-Instance GPU (MIG) partition management, where insecure default initialization of memory routing resources could cause data corruption or a system hang during partition reconfiguration.
Windows-specific and cross-platform driver bugs. CVE-2026-24191 (CVSS 7.8) is a time-of-check time-of-use (TOCTOU) issue in the Windows Display Driver that could lead to code execution and privilege escalation. CVE-2026-24182 (CVSS 6.5) affects both Windows and Linux drivers and involves leaking held driver locks, which could result in denial of service. CVE-2025-33221 (CVSS 4.4) is a permission-assignment flaw in the kernel driver for both platforms, enabling data tampering and denial of service.
vGPU software vulnerabilities. Two CVEs target Nvidia's virtual GPU (vGPU) software. CVE-2026-24200 (CVSS 7.0) is a use-after-free for stack memory in the virtual GPU manager, with potential impact including denial of service, privilege escalation, information disclosure, data tampering, and code execution. CVE-2026-24201 (CVSS 5.8) is an out-of-bounds access in the same component that could lead to data tampering, denial of service, or information disclosure.
Transformers4Rec deserialization bug. A notable outlier in the batch is CVE-2026-24162 (CVSS 7.8), which affects Nvidia Transformers4Rec for Linux — a library for building recommender systems with transformer models. The vulnerability involves improper deserialization of untrusted data, which could lead to code execution, data tampering, and information disclosure. This CVE stands apart from the driver-focused bulk of the advisory and signals that Nvidia's AI/ML software stack remains in scope for security research.
Patch status and response. Nvidia has released security updates for all affected products. Users of Nvidia GPU Display Drivers, vGPU software, and Transformers4Rec should consult the Nvidia Security Bulletin for the specific patched version numbers applicable to their driver branch and platform. As of publication, Nvidia has not reported active exploitation in the wild for any of the 16 CVEs.
Why this batch matters. The sheer volume — 16 CVEs in a single coordinated disclosure — underscores the attack surface complexity of Nvidia's GPU ecosystem, which now spans traditional graphics drivers, virtualized GPU environments, and AI/ML libraries. The seven CVEs rated 7.8 or above, particularly those enabling code execution and privilege escalation, should be prioritized by enterprise teams managing Nvidia-powered infrastructure, data-center GPU clusters, and AI workloads. The inclusion of Transformers4Rec also serves as a reminder that the AI software supply chain is increasingly subject to the same vulnerability disclosure cycles as core driver firmware.