Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Local vector since exploitation requires deserializing an attacker-controlled model file (AV:L); no privileges once the artifact is loaded (PR:N), with full code-execution-grade C/I/A impact.
Primary rating from Vendor (nvidia).
CVSS VectorVendor: nvidia
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
NVIDIA TensorRT-LLM for Linux contains a vulnerability in the restricted unpickler used for model weight deserialization, where a local, unauthenticated attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
Articles & Coverage 1
AnalysisAI
Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that TensorRT-LLM on Linux deserialize a model weight file that the attacker controls or has tampered with - the specific trigger is the restricted-unpickler code path invoked during model-weight loading, so the attacker must be able to supply, substitute, or influence the weights the victim process loads. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields 8.4 (High), driven by high impact across confidentiality, integrity, and availability with low attack complexity and no privileges - but critically the attack vector is Local (AV:L), not network, so this is not a remotely triggerable pre-auth RCE despite the high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious model weight file whose embedded pickle stream abuses the incomplete restrictions in TensorRT-LLM's unpickler, then gets it onto a target system - for example by publishing it as a seemingly legitimate model or by writing to a shared model directory a victim later loads. When the TensorRT-LLM process deserializes the weights during model initialization, the crafted payload executes, giving the local attacker code execution and potential privilege escalation. … |
| Remediation | No vendor-released patch version was identified at time of analysis in the provided data, so the primary action is to consult NVIDIA's official security bulletin for TensorRT-LLM and upgrade to the fixed release once identified (start from the NVD/CVE.org records at https://nvd.nist.gov/vuln/detail/CVE-2026-24233). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory systems running NVIDIA TensorRT-LLM and restrict model loading to artifacts from trusted, verified sources only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tensorrt Llm
View allLocal privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a ho
Heap-based buffer overflow in NVIDIA TensorRT-LLM's tensor deserialization path lets an adjacent, unauthenticated attack
Memory corruption in NVIDIA TensorRT-LLM allows an attacker with local access to trigger a write-what-where primitive (C
Missing authentication in NVIDIA TensorRT-LLM for Linux lets an attacker reach the disaggregated orchestrator's FastAPI
NVIDIA TensorRT-LLM for Linux contains a vulnerability in the multimodal media fetching functions, where a network-acces
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critic
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an uns
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation
NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause alloc
NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API where an attacker could trigger a re
NVIDIA TensorRT-LLM for any platform contains a vulnerability in the gRPC server chat API endpoint, where an attacker co
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44448
GHSA-rjg7-v496-w6mx