Skip to main content

Nvidia CVE-2026-24158

| EUVDEUVD-2026-15013 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-03-24 nvidia GHSA-272x-gpf6-6c9f
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 20:31 euvd
EUVD-2026-15013
Analysis Generated
Mar 24, 2026 - 20:31 vuln.today
CVE Published
Mar 24, 2026 - 20:26 nvd
HIGH 7.5

DescriptionCVE.org

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service.

AnalysisAI

NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.

Technical ContextAI

NVIDIA Triton Inference Server is a model serving platform for deploying AI/ML models in production environments. This vulnerability (CWE-789: Memory Allocation with Excessive Size Value) affects the HTTP endpoint's handling of compressed data, where the server fails to properly validate or limit the size of decompressed payloads. When processing compressed data, systems must guard against 'zip bomb' or compression ratio attacks where small compressed inputs expand to massive decompressed outputs, exhausting memory or CPU resources. The affected product is identified by CPE cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:*, indicating the vulnerability spans multiple versions of the inference server's HTTP API implementation.

RemediationAI

Consult the official NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5790 for patch availability and upgrade instructions to a fixed version of Triton Inference Server. As an immediate mitigation, implement rate limiting and payload size restrictions at the reverse proxy or load balancer level in front of Triton Inference Server instances to prevent large compressed payloads from reaching the vulnerable HTTP endpoint. Additional hardening measures include restricting network access to the HTTP endpoint to trusted IP ranges only, deploying web application firewalls with decompression bomb detection capabilities, and monitoring resource utilization for anomalous spikes that may indicate exploitation attempts. If the HTTP endpoint is not required for your deployment architecture, disable it in favor of gRPC or other protocols if supported.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Share

CVE-2026-24158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy