Skip to main content

Nvidia CVE-2026-24146

| EUVDEUVD-2026-19749 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-04-07 nvidia
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 17:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 18:00 euvd
EUVD-2026-19749
Analysis Generated
Apr 07, 2026 - 18:00 vuln.today
CVE Published
Apr 07, 2026 - 17:11 nvd
HIGH 7.5

DescriptionCVE.org

NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might lead to denial of service.

AnalysisAI

NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.

Technical ContextAI

NVIDIA Triton Inference Server is an open-source inference serving platform that provides GPU-accelerated deployment of AI models across frameworks including TensorFlow, PyTorch, and ONNX. This vulnerability is classified as CWE-789 (Memory Allocation with Excessive Size Value), indicating the server fails to properly validate input parameters before allocating resources for inference outputs. When an attacker crafts requests specifying excessively large output dimensions, the insufficient bounds checking allows memory allocation attempts that exceed safe thresholds, triggering a server crash. The affected component is cpe:2.3:a:nvidia:triton_inference_server, which processes inference requests over network protocols (HTTP/gRPC). The lack of input sanitization on output size parameters represents a fundamental input validation failure in the request handling pipeline, where untrusted user-controlled data directly influences resource allocation decisions without proper constraint enforcement.

RemediationAI

Upgrade NVIDIA Triton Inference Server to version r26.02 or later, which contains input validation improvements that properly constrain output size parameters and prevent excessive memory allocation attempts. Download the patched release from NVIDIA NGC (nvcr.io/nvidia/tritonserver:26.02-py3) or build from the corresponding GitHub release tag if using a custom deployment. For environments unable to immediately upgrade, implement network-level rate limiting and request size restrictions on Triton's HTTP (default port 8000) and gRPC (default port 8001) endpoints to mitigate exploitation attempts, though this provides only partial protection against crafted low-volume attacks. Review and restrict network access to inference endpoints using firewall rules or service mesh policies, limiting exposure to trusted clients only. Monitor server logs for abnormal termination events and unusual output dimension values in inference requests. Complete remediation guidance and version-specific patches are documented in NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5816.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Share

CVE-2026-24146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy