CVE-2026-24189
Published: 21 April 2026
Summary
CVE-2026-24189 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Custhelp (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24189 is a vulnerability in NVIDIA CUDA-Q, affecting an endpoint within the software. It stems from an out-of-bounds read condition (CWE-125) that can be triggered by an unauthenticated attacker sending a maliciously crafted request. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impact.
Any unauthenticated attacker with network access to the vulnerable CUDA-Q endpoint can exploit this flaw without privileges or user interaction. Successful exploitation could result in denial of service, primarily through high availability impact, alongside limited information disclosure.
For mitigation details, security practitioners should refer to official advisories including the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-24189, NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5820, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24189.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24149
Vulnerability details
NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit of public-facing CUDA-Q endpoint via crafted request enabling DoS and limited disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific out-of-bounds read flaw in the NVIDIA CUDA-Q endpoint to eliminate the vulnerability.
Enforces validation of information inputs at the vulnerable endpoint to block maliciously crafted requests that trigger out-of-bounds reads.
Protects system resource availability against denial-of-service impacts from exploitation of the out-of-bounds read vulnerability.