Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.
AnalysisAI
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Technical ContextAI
NVIDIA Triton Inference Server is a production-ready AI model serving platform that handles inference requests via HTTP/HTTPS and gRPC protocols. This vulnerability stems from CWE-248 (Uncaught Exception), indicating the server fails to properly validate or handle malformed HTTP request headers, allowing an exception to propagate uncaught and terminate the server process. The affected component appears to be the server's request parsing layer, which should sanitize header input before processing. All versions prior to release r26.02 contain this input validation weakness, affecting the core cpe:2.3:a:nvidia:triton_inference_server platform across all deployment configurations.
RemediationAI
Upgrade NVIDIA Triton Inference Server to version r26.02 or later, which contains vendor-released patches addressing the malformed header parsing vulnerability. Organizations should prioritize patching internet-facing inference endpoints and customer-accessible AI services immediately. For environments where immediate patching is not feasible, implement network-level protections including Web Application Firewall (WAF) rules to filter malformed HTTP headers, rate limiting to mitigate DoS impact, and network segmentation to restrict Triton server exposure to trusted clients only. Consult the official NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5816 for complete remediation guidance, release notes, and deployment-specific considerations. Monitor server logs for unusual request patterns or parsing errors that may indicate exploitation attempts during the patching window.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19759