EXECUTIVE SUMMARY:
NVIDIA has addressed vulnerabilities in its KAI Scheduler and CUDA-Q platforms. The flaws include improper authorization weaknesses in KAI Scheduler and an out-of-bounds read issue in CUDA-Q. Successful exploitation could allow attackers to access sensitive API endpoints, tamper with data across namespaces, disclose information, or trigger denial-of-service conditions affecting GPU-accelerated workloads. NVIDIA recommends applying the latest security patches immediately to reduce exposure. CVE-2026-24177 with a CVSS score of 7.7 – A flaw where API endpoints lack sufficient authorization, allowing an attacker to access sensitive endpoints and leading directly to information disclosure. CVE-2026-24176 with a CVSS score of 4.3 – A vulnerability involving improper authorization through cross-namespace pod references, potentially allowing an attacker to cause data tampering within the scheduler’s environment. CVE-2026-24189 with a CVSS score of 8.2 – A vulnerability involving an out-of-bounds read in a specific endpoint, allowing an unauthenticated attacker to send a maliciously crafted request and trigger the flaw, leading to both information disclosure and a denial of service condition.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
NVIDIA has addressed vulnerabilities in its KAI Scheduler and CUDA-Q platforms. The flaws include improper authorization weaknesses in KAI Scheduler and an out-of-bounds read issue in CUDA-Q. Successful exploitation could allow attackers to access sensitive API endpoints, tamper with data across namespaces, disclose information, or trigger denial-of-service conditions affecting GPU-accelerated workloads. NVIDIA recommends applying the latest security patches immediately to reduce exposure. CVE-2026-24177 with a CVSS score of 7.7 – A flaw where API endpoints lack sufficient authorization, allowing an attacker to access sensitive endpoints and leading directly to information disclosure. CVE-2026-24176 with a CVSS score of 4.3 – A vulnerability involving improper authorization through cross-namespace pod references, potentially allowing an attacker to cause data tampering within the scheduler’s environment. CVE-2026-24189 with a CVSS score of 8.2 – A vulnerability involving an out-of-bounds read in a specific endpoint, allowing an unauthenticated attacker to send a maliciously crafted request and trigger the flaw, leading to both information disclosure and a denial of service condition.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update NVIDIA KAI Scheduler and CUDA-Q to version 0.13.0 , 0.14.0 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/nvidia-kai-scheduler-cuda-q-security-vulnerabilities-patch/