Cyber Posture

CVE-2024-0146

High

Published: 28 January 2025

Published
28 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 10.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0146 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Custhelp (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific memory corruption vulnerability in NVIDIA vGPU software through application of vendor patches.

SI-16 Memory Protection good match
prevent

Directly protects against guest-induced memory corruption in the Virtual GPU Manager via mechanisms like DEP and ASLR.

SI-10 Information Input Validation good match
prevent

Enforces input validation to prevent buffer copy without size checking (CWE-120) when the Virtual GPU Manager processes malicious guest data.

NVD Description

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause memory corruption. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, or data tampering.

Deeper analysisAI

CVE-2024-0146 is a vulnerability in NVIDIA vGPU software, specifically within the Virtual GPU Manager component. It enables a malicious guest to cause memory corruption, corresponding to CWE-120 (Buffer Copy without Checking Size of Input). The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-28.

A malicious guest with local access and low privileges (PR:L) can exploit this issue with low attack complexity and no user interaction required. Successful exploitation could lead to code execution, denial of service, information disclosure, or data tampering.

The NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5614 provides details on mitigation and available patches.

Details

CWE(s)
CWE-120

Affected Products

Custhelp
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-24956Shared CWE-120
CVE-2024-57482Shared CWE-120
CVE-2024-57479Shared CWE-120
CVE-2025-69807Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2020-37050Shared CWE-120
CVE-2020-37207Shared CWE-120
CVE-2025-50670Shared CWE-120
CVE-2024-53027Shared CWE-120
CVE-2024-57509Shared CWE-120

References