CVE-2026-24260
Received Received - Intake

NVIDIA Container Toolkit Linux TOCTOU Race Condition

Vulnerability report for CVE-2026-24260, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: NVIDIA Corporation

Description

NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nvidia container_toolkit to 1.19.0 (inc)
nvidia gpu_operator to 26.3.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-24260 is a vulnerability in the NVIDIA Container Toolkit for Linux involving a time-of-check time-of-use (TOCTOU) race condition.

This means that an attacker could exploit a timing flaw between when a system checks a condition and when it uses the result of that check, potentially causing unexpected behavior.

If successfully exploited, this vulnerability might allow an attacker to execute arbitrary code, escalate their privileges, and tamper with data.

Impact Analysis

The impact of this vulnerability includes the possibility for an attacker to gain unauthorized control over affected systems.

  • Arbitrary code execution - attackers can run malicious code.
  • Privilege escalation - attackers can increase their access rights.
  • Data tampering - attackers can modify or corrupt data.

These impacts can lead to serious security breaches, loss of data integrity, and compromise of system confidentiality and availability.

Detection Guidance

This vulnerability affects NVIDIA Container Toolkit for Linux up to version 1.19.0 and NVIDIA GPU Operator up to version 26.3.1. Detection can start by identifying if these affected versions are installed on your system.

You can check the installed versions of these components using commands like:

  • For NVIDIA Container Toolkit: `nvidia-container-cli --version` or check the package version via your package manager, e.g., `dpkg -l | grep nvidia-container-toolkit`
  • For NVIDIA GPU Operator: check the deployed version in your Kubernetes cluster with `kubectl get deployment gpu-operator -n <namespace> -o yaml | grep image`

Additionally, monitoring for unusual privilege escalations or suspicious container behavior might help detect exploitation attempts, but no specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the NVIDIA Container Toolkit and NVIDIA GPU Operator to versions later than those affected (beyond 1.19.0 for the toolkit and beyond 26.3.1 for the GPU Operator) once patches are available.

Until updates are applied, restrict access to the affected components to trusted users only, and monitor for suspicious activity that could indicate exploitation attempts.

Applying standard security best practices such as minimizing privileges, isolating containers, and using security policies can also reduce the risk.

Compliance Impact

The vulnerability in NVIDIA Container Toolkit for Linux allows for code execution, privilege escalation, and data tampering. Such impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and confidentiality.

However, the provided context and resources do not explicitly describe how this vulnerability directly affects compliance with these or other common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart