Skip to main content

Dali EUVDEUVD-2026-19753

| CVE-2026-24156 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-07 nvidia
7.3
CVSS 3.1 · Vendor: nvidia
Share

Severity by source

Vendor (nvidia) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (nvidia) · only source for this CVE.

CVSS VectorVendor: nvidia

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 18:00 euvd
EUVD-2026-19753
Analysis Generated
Apr 07, 2026 - 18:00 vuln.today
CVE Published
Apr 07, 2026 - 17:11 nvd
HIGH 7.3

DescriptionCVE.org

NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.

AnalysisAI

Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.

Technical ContextAI

NVIDIA DALI (Data Loading Library) is a GPU-accelerated library for data loading and preprocessing in deep learning applications. The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous pattern where the application deserializes data from untrusted sources without proper validation. When an attacker can control serialized data structures that DALI processes, they can inject malicious objects that execute arbitrary code during the deserialization process. This affects the product identified as cpe:2.3:a:nvidia:dali across all versions prior to the 2.0 release. Deserialization vulnerabilities are particularly dangerous in libraries handling data pipelines, as they may process user-supplied training data, model files, or configuration files that could contain malicious serialized payloads. The local attack vector (AV:L) indicates exploitation requires local access to the system running DALI, while the requirement for user interaction (UI:R) suggests a user must trigger the deserialization process, possibly by loading a malicious data file or configuration.

RemediationAI

Organizations should immediately upgrade NVIDIA DALI to version 2.0 or later, which addresses the insecure deserialization vulnerability. Download the patched version from NVIDIA's official channels and review the vendor security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5811 for complete upgrade instructions and any platform-specific considerations. As an interim mitigation for environments unable to upgrade immediately, restrict DALI usage to trusted data sources only, implement strict input validation on all data files and configurations processed by DALI pipelines, and apply principle of least privilege to limit which users can execute DALI workflows. Consider isolating DALI workloads in sandboxed containers or virtual machines to contain potential exploitation impact until patching is complete. Verify that no untrusted serialized data files are present in DALI data directories or pipeline configurations.

Share

EUVD-2026-19753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy