Skip to main content

NVIDIA TensorRT-LLM CVE-2026-24233

| EUVDEUVD-2026-44448 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 nvidia GHSA-rjg7-v496-w6mx
8.4
CVSS 3.1 · Vendor: nvidia
Share

Severity by source

Vendor (nvidia) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.4 HIGH

Local vector since exploitation requires deserializing an attacker-controlled model file (AV:L); no privileges once the artifact is loaded (PR:N), with full code-execution-grade C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (nvidia).

CVSS VectorVendor: nvidia

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:23 vuln.today
CVE Published
Jul 14, 2026 - 20:00 cve.org
HIGH 8.4

DescriptionCVE.org

NVIDIA TensorRT-LLM for Linux contains a vulnerability in the restricted unpickler used for model weight deserialization, where a local, unauthenticated attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

AnalysisAI

Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access or model-directory write
Delivery
Plant crafted malicious weight file
Exploit
TensorRT-LLM restricted unpickler deserializes payload
Execution
Arbitrary code executes in inference process
Impact
Escalate privileges and exfiltrate or tamper data

Vulnerability AssessmentAI

Exploitation Exploitation requires that TensorRT-LLM on Linux deserialize a model weight file that the attacker controls or has tampered with - the specific trigger is the restricted-unpickler code path invoked during model-weight loading, so the attacker must be able to supply, substitute, or influence the weights the victim process loads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields 8.4 (High), driven by high impact across confidentiality, integrity, and availability with low attack complexity and no privileges - but critically the attack vector is Local (AV:L), not network, so this is not a remotely triggerable pre-auth RCE despite the high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious model weight file whose embedded pickle stream abuses the incomplete restrictions in TensorRT-LLM's unpickler, then gets it onto a target system - for example by publishing it as a seemingly legitimate model or by writing to a shared model directory a victim later loads. When the TensorRT-LLM process deserializes the weights during model initialization, the crafted payload executes, giving the local attacker code execution and potential privilege escalation. …
Remediation No vendor-released patch version was identified at time of analysis in the provided data, so the primary action is to consult NVIDIA's official security bulletin for TensorRT-LLM and upgrade to the fixed release once identified (start from the NVD/CVE.org records at https://nvd.nist.gov/vuln/detail/CVE-2026-24233). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory systems running NVIDIA TensorRT-LLM and restrict model loading to artifacts from trusted, verified sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47472 HIGH
7.8 Jul 14

Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a ho

CVE-2026-47471 HIGH
7.5 Jul 14

Heap-based buffer overflow in NVIDIA TensorRT-LLM's tensor deserialization path lets an adjacent, unauthenticated attack

CVE-2026-47473 HIGH
7.4 Jul 14

Memory corruption in NVIDIA TensorRT-LLM allows an attacker with local access to trigger a write-what-where primitive (C

CVE-2026-24229 HIGH
7.3 Jul 14

Missing authentication in NVIDIA TensorRT-LLM for Linux lets an attacker reach the disaggregated orchestrator's FastAPI

CVE-2026-24234 MEDIUM
6.8 Jul 14

NVIDIA TensorRT-LLM for Linux contains a vulnerability in the multimodal media fetching functions, where a network-acces

CVE-2026-24259 MEDIUM
6.4 Jul 14

NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critic

CVE-2026-24220 MEDIUM
6.4 Jul 14

NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an uns

CVE-2026-24226 MEDIUM
6.3 Jul 14

NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation

CVE-2026-24271 MEDIUM
6.2 Jul 14

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause alloc

CVE-2026-47475 MEDIUM
6.2 Jul 14

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API where an attacker could trigger a re

CVE-2026-47470 MEDIUM
6.2 Jul 14

NVIDIA TensorRT-LLM for any platform contains a vulnerability in the gRPC server chat API endpoint, where an attacker co

Share

CVE-2026-24233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy