Cyber Resilience

CVE-2026-24189

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0032 23.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24189 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Custhelp (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24189 is a vulnerability in NVIDIA CUDA-Q, affecting an endpoint within the software. It stems from an out-of-bounds read condition (CWE-125) that can be triggered by an unauthenticated attacker sending a maliciously crafted request. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impact.

Any unauthenticated attacker with network access to the vulnerable CUDA-Q endpoint can exploit this flaw without privileges or user interaction. Successful exploitation could result in denial of service, primarily through high availability impact, alongside limited information disclosure.

For mitigation details, security practitioners should refer to official advisories including the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-24189, NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5820, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24189.

EU & UK References

Vulnerability details

NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploit of public-facing CUDA-Q endpoint via crafted request enabling DoS and limited disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42799Shared CWE-125
CVE-2026-22984Shared CWE-125
CVE-2025-1674Shared CWE-125
CVE-2025-55100Shared CWE-125
CVE-2026-3055Shared CWE-125
CVE-2026-41415Shared CWE-125
CVE-2025-48530Shared CWE-125
CVE-2026-34235Shared CWE-125
CVE-2026-4424Shared CWE-125
CVE-2025-1675Shared CWE-125

Affected Assets

Custhelp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific out-of-bounds read flaw in the NVIDIA CUDA-Q endpoint to eliminate the vulnerability.

prevent

Enforces validation of information inputs at the vulnerable endpoint to block maliciously crafted requests that trigger out-of-bounds reads.

prevent

Protects system resource availability against denial-of-service impacts from exploitation of the out-of-bounds read vulnerability.

References