Skip to main content

NVIDIA Megatron Bridge CVE-2026-24242

| EUVDEUVD-2026-41040 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-01 nvidia GHSA-w6mv-qpwp-2h37
7.8
CVSS 3.1 · Vendor: nvidia
Share

Severity by source

Vendor (nvidia) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
5.5 MEDIUM

Matched vendor AV:L/UI:R (local processing of crafted input); scored C:H for information disclosure but I:N/A:N since the description supports only confidentiality impact, unlike the vendor's I:H/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (nvidia).

CVSS VectorVendor: nvidia

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 15:58 vuln.today
CVE Published
Jul 01, 2026 - 14:48 cve.org
HIGH 7.8

DescriptionCVE.org

NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause server-side request forgery. A successful exploit of this vulnerability might lead to information disclosure.

AnalysisAI

Server-side request forgery in NVIDIA Megatron Bridge for Linux allows an attacker to coerce the software into issuing attacker-controlled requests, potentially leading to disclosure of sensitive information. The flaw (CWE-918) was reported by NVIDIA itself and carries a vendor CVSS 3.1 score of 7.8; notably the vector is scored as local with required user interaction (AV:L/UI:R) rather than a classic remote SSRF, which security teams should reconcile against the SSRF classification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious resource reference
Delivery
Induce operator to load it in Megatron Bridge
Exploit
Library issues attacker-controlled request (SSRF)
Execution
Reach internal/metadata endpoint
Impact
Exfiltrate disclosed information

Vulnerability AssessmentAI

Exploitation Exploitation requires an operator to process attacker-influenced input in Megatron Bridge - the CVSS vector's UI:R means a victim must take an action (loading a crafted model, dataset, or configuration reference), and AV:L means the trigger is local to the environment running the library rather than a directly network-reachable service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious model, dataset, or configuration reference and induces an operator to load it in Megatron Bridge (satisfying the UI:R requirement); when processed, the library issues a request to an attacker-chosen internal endpoint such as a cloud metadata service, returning sensitive data like credentials or internal service responses to the attacker. Because AV:L/AC:L/PR:N applies, the attack needs local processing of the crafted input but no prior privileges. …
Remediation Consult the NVIDIA product-security advisory at https://github.com/NVIDIA/product-security/tree/main/2026/5841 for the fixed release and upgrade Megatron Bridge to the patched version; an exact fix version was not provided in this data, so treat it as 'Patch available per vendor advisory' and confirm the version from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running NVIDIA Megatron Bridge and document user access scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24248 HIGH
7.8 Jul 01

Arbitrary code execution in NVIDIA Megatron Bridge for Linux stems from improper control of code generation (CWE-94), al

CVE-2026-24243 HIGH
7.8 Jul 01

Arbitrary code execution in NVIDIA Megatron Bridge (all versions per the NVIDIA advisory) arises from unsafe deserializa

CVE-2026-24247 HIGH
7.8 Jul 01

Insecure deserialization in NVIDIA Megatron Bridge for Linux (CWE-502) lets an attacker who supplies a crafted serialize

CVE-2026-24246 HIGH
7.8 Jul 01

Arbitrary code execution in NVIDIA Megatron Bridge on Linux arises from unsafe reflection (CWE-470), where externally-co

CVE-2026-24240 HIGH
7.8 Jul 01

Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux (CWE-502) can lead to arbitrary code execution, pr

CVE-2026-24249 HIGH
7.8 Jul 01

Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve

CVE-2026-24251 HIGH
7.8 Jul 01

Local code execution and privilege escalation in NVIDIA Megatron Bridge (Linux) stems from unsafe handling of dynamicall

CVE-2026-24250 HIGH
7.8 Jul 01

Local privilege escalation and code execution in NVIDIA Megatron Bridge for Linux stems from unsafe deserialization of a

CVE-2026-24245 HIGH
7.8 Jul 01

Arbitrary code execution in NVIDIA Megatron Bridge for Linux arises from unsafe deserialization of untrusted data (CWE-5

CVE-2026-24244 HIGH
7.8 Jul 01

Arbitrary code execution and privilege escalation in NVIDIA Megatron Bridge on Linux arises from unsafe deserialization

CVE-2025-33240 HIGH
7.8 Feb 18

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code i

CVE-2025-33239 HIGH
7.8 Feb 18

NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code inj

Share

CVE-2026-24242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy