<Vulnerability name="CVE-2026-24260">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-01T14:34:54</PublicDate>
    <Bugzilla id="2496027" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496027" xml:lang="en:us">
NVIDIA Container Toolkit: NVIDIA Container Toolkit: Privilege escalation and code execution via race condition
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-367</CWE>
    <Details xml:lang="en:us" source="Mitre">
NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in NVIDIA Container Toolkit. An attacker could exploit a time-of-check time-of-use (TOCTOU) race condition. This vulnerability might allow an attacker to achieve code execution, escalate privileges, and tamper with data.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in NVIDIA Container Toolkit versions through 1.19.0, where a time-of-check time-of-use (TOCTOU) race condition could allow an attacker to achieve code execution, privilege escalation, and data tampering. Red Hat ships NVIDIA Container Toolkit version 1.19.1 in RHEL 9 and RHEL 10, which includes the fix for this vulnerability.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>nvidia-container-toolkit</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>nvidia-container-toolkit</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-24260
https://nvd.nist.gov/vuln/detail/CVE-2026-24260
https://github.com/NVIDIA/product-security/tree/main/2026/5850
    </References>
</Vulnerability>