Nvidia
Monthly
In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment]
Path traversal in NVIDIA BioNeMo Core for Linux allows remote attackers to escape intended directory boundaries when a user is induced to load a malicious file, enabling code execution, information disclosure, data tampering, or denial of service. The flaw carries a high CVSS score of 8.8 driven by network reachability and full CIA impact, though exploitation requires user interaction; no public exploit identified at time of analysis.
Arbitrary code execution in NVIDIA BioNemo Framework on Linux allows a local attacker to abuse unsafe deserialization of untrusted data (CWE-502), leading to code execution, denial of service, information disclosure, and data tampering. The CVSS 7.8 vector indicates local attack vector with required user interaction, and no public exploit has been identified at time of analysis.
Host impersonation and machine-in-the-middle attacks against NVIDIA DGX OS systems are possible because the factory provisioning process clones a base image that ships identical SSH host keys onto every similarly provisioned system, primarily affecting DGX Spark deployments. With a CVSS of 8.1 and a CWE-321 (Use of Hard-Coded Cryptographic Key) root cause, an unauthenticated network attacker who possesses the shared key material from any one device can impersonate peers, potentially leading to code execution, data tampering, privilege escalation, information disclosure, or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unsafe deserialization in NVIDIA TensorRT-LLM's RPC testing component allows a local high-privileged attacker to trigger code execution, denial of service, data tampering, or information disclosure across a changed scope. The flaw is rated CVSS 7.5 despite local-only access and high attack complexity because successful exploitation crosses a security boundary (S:C) and yields full CIA impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Null pointer dereference in NVIDIA TensorRT-LLM across all supported platforms allows a local attacker to crash the application and cause denial of service. The flaw stems from an unchecked return value that is subsequently dereferenced, triggering a fault when the returned pointer is null. With a CVSS score of 5.5 and no public exploit or CISA KEV listing identified at time of analysis, real-world risk is moderate and constrained by the local attack vector and mandatory user interaction.
Deserialization of untrusted data in NVIDIA TensorRT-LLM across all platforms allows a local, low-privileged attacker to achieve code execution, data tampering, and information disclosure by exploiting an unsafe serialized handle. The CVSS Changed Scope (S:C) indicates the impact can extend beyond the vulnerable component itself - notable given TensorRT-LLM's role as an inference serving library often integrated into multi-tenant or production AI infrastructure. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unsafe deserialization in NVIDIA TensorRT-LLM's MPI server component allows a high-privileged local attacker to achieve code execution, denial of service, data tampering, or information disclosure on systems running the affected library. The CVSS 7.5 score reflects high impact but constrained exploitability (AV:L/AC:H/PR:H), and no public exploit identified at time of analysis. Scope change (S:C) indicates compromise can extend beyond the vulnerable component to impact other resources on the host.
Uncontrolled resource consumption in NVIDIA Triton Inference Server's DALI backend allows a network-adjacent, low-privileged attacker to exhaust server resources, resulting in denial of service. The vulnerability (CWE-400) is triggered through the DALI data-loading and augmentation backend, requires low privileges and user interaction, and carries a CVSS score of 5.7 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a monitored-but-not-critical-urgency tier for most deployments.
Integer overflow in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory corruption that may result in code execution, data tampering, or denial of service. The flaw requires low-level privileges plus user interaction (CVSS 8.0, AV:N/AC:L/PR:L/UI:R) and affects deployments exposing the DALI inference pipeline. No public exploit identified at time of analysis.
Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely without authentication via a path traversal flaw (CWE-22), enabling unauthenticated network attackers to disrupt model-serving availability. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis.
Path traversal exploitation in NVIDIA Triton Inference Server enables unauthenticated remote attackers to cause denial of service by submitting crafted requests containing malicious path components. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero authentication or user interaction is required, making this broadly reachable from the network with low attack complexity. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the no-prerequisite attack profile warrants patching per NVIDIA's advisory at nvidia.custhelp.com.
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.
Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix.
Linux kernel's Tegra PMC driver can trigger kernel warnings and potential denial of service during system resume by calling generic_handle_irq() from non-interrupt context. Affects Tegra186 and later platforms running Linux kernel versions prior to 6.19.6 and 7.0. CVSS 5.5 indicates local low-complexity exploitation requiring authenticated access. EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches available via stable kernel tree commits.
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
Server-side request forgery in NVIDIA NemoClaw's validateEndpointUrl() function allows local attackers with user interaction to supply crafted endpoint URLs targeting the 0.0.0.0/8 address range via blueprint configuration files or CLI flags, leading to information disclosure. The vulnerability affects all versions of NemoClaw and requires local access with user interaction to trigger, limiting exposure to systems where untrusted users can modify configuration or invoke CLI commands.
Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). Cross-scope impact (S:C) indicates the attack breaks out of the intended sandbox boundary to access host-level secrets. EPSS and KEV status not available; this appears to be a recently disclosed AI/LLM agent security issue.
NVIDIA Flare SDK is vulnerable to path traversal via improper input validation, allowing authenticated remote attackers to disclose sensitive information. The vulnerability affects all versions of the SDK and requires valid user credentials to exploit, making it a moderate-risk issue for organizations using Flare in multi-user environments. No public exploit code or active exploitation has been identified.
Remote code execution in NVIDIA FLARE SDK allows authenticated attackers to execute arbitrary code by sending maliciously crafted FOBS-encoded messages that exploit unsafe deserialization in the FOBS component. The vulnerability affects federated learning deployments where NVIDIA FLARE SDK processes messages from low-privileged authenticated users, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV) and public exploit status unknown at time of analysis.
Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.
Out-of-bounds read in NVIDIA CUDA-Q endpoint allows remote unauthenticated attackers to crash services and disclose sensitive memory contents via malformed network requests. The vulnerability affects an exposed network endpoint with no authentication barrier (CVSS AV:N/AC:L/PR:N/UI:N), enabling trivial exploitation against internet-facing deployments. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or limited to targeted scenarios.
Authorization bypass in NVIDIA KAI Scheduler allows authenticated network attackers to access protected API endpoints and disclose sensitive information across security boundaries. The vulnerability (CWE-306: Missing Authentication for Critical Function) enables low-privileged authenticated users to read high-value data outside their intended scope (CVSS scope changed to 'C', high confidentiality impact). NVIDIA has published advisory 5818 with remediation guidance. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
NVIDIA KAI Scheduler contains an improper authorization vulnerability allowing authenticated attackers to reference pods across Kubernetes namespaces they do not own, enabling data tampering. The vulnerability requires valid credentials and network access to the scheduler but does not permit confidentiality breaches or denial of service. CVSS 4.3 (low) reflects authenticated access requirement and integrity impact only; no active exploitation or public POC identified.
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Remote denial of service in NVIDIA Triton Inference Server (all versions prior to r26.02) allows unauthenticated attackers to crash the server via malformed requests. The vulnerability has a CVSS score of 7.5 with network-accessible attack vector and low complexity, requiring no privileges or user interaction. EPSS data not provided; no public exploit identified at time of analysis. The issue stems from improper conversion between numeric types (CWE-681), enabling trivial service disruption for ML inference workloads.
Integer overflow in NVIDIA Triton Inference Server allows unauthenticated remote attackers to crash the server through malformed requests, causing denial of service. All versions prior to r26.02 are affected. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS and KEV data not provided; no public exploit identified at time of analysis. Organizations running Triton Inference Server for ML model deployment should prioritize patching to prevent service disruption.
NVIDIA Triton Inference Server prior to r26.02 allows unauthenticated remote attackers to trigger information disclosure and denial of service through malicious model configuration uploads, exploiting a path traversal vulnerability (CWE-22) that enables access to sensitive files outside intended directories. The CVSS 4.8 score reflects moderate risk with high attack complexity, though real-world exploitation likelihood depends on network accessibility to model upload endpoints.
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.
Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.
Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.
Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.
Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.
Information disclosure in NVIDIA Jetson Linux affects Xavier, Orin, and Thor series devices due to the nvluks trusted application remaining enabled in initrd. A local attacker with physical access and low-level privileges can exploit this to read sensitive data from the device, as confirmed by CWE-501 (CLS: Malicious Code Not Included in Executable) indicating improper access control to privileged components. CVSS 5.2 reflects the high confidentiality impact but requires physical attack vector and authenticated access; no public exploit or CISA KEV status reported.
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. According to CISA's SSVC framework, there is currently no evidence of active exploitation in the wild, and the attack is not automatable, though technical impact is rated as total.
NVIDIA NeMo Framework contains a remote code execution vulnerability in its checkpoint loading mechanism caused by insecure deserialization (CWE-502). Attackers with local access and low privileges can exploit this to achieve code execution, privilege escalation, information disclosure, and data tampering with high impact on confidentiality, integrity, and availability. According to SSVC framework, there is currently no observed exploitation in the wild, though the technical impact is rated as total.
NVIDIA Model Optimizer for Windows and Linux contains an unsafe deserialization vulnerability in its ONNX quantization feature that allows attackers to execute arbitrary code by providing a malicious input file. Users who process untrusted ONNX model files are at risk of complete system compromise, including code execution, privilege escalation, data tampering, and information disclosure. There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept availability.
NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.
NVIDIA Triton Inference Server contains a race condition vulnerability (CWE-362) that allows unauthenticated remote attackers to corrupt internal server state, resulting in a denial of service. The vulnerability affects NVIDIA Triton Inference Server across multiple versions and can be exploited over the network with low attack complexity requiring no privileges or user interaction. With a CVSS score of 7.5 (High) and an EPSS score not provided, this represents a significant availability risk for organizations running AI/ML inference workloads.
NVIDIA Triton Inference Server's Sagemaker HTTP server contains a race condition vulnerability that allows unauthenticated remote attackers to trigger an exception, resulting in denial of service. The vulnerability affects NVIDIA Triton Inference Server deployments using the Sagemaker HTTP server component and can be exploited over the network without authentication or user interaction. There is no indication of active exploitation (not in CISA KEV), and EPSS data was not provided, but the CVSS score of 7.5 (High) reflects the ease of exploitation.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading mechanism that allows remote code execution when a user loads a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. The attack requires local access and low privileges but no user interaction once the malicious file is loaded.
NVIDIA Megatron-LM contains an insecure deserialization vulnerability (CWE-502) during model inferencing that allows remote code execution when a user loads a maliciously crafted input file. This vulnerability has a CVSS score of 7.8 and requires local access with low privileges but no user interaction, enabling attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability affects NVIDIA's large language model training framework widely used in AI research and production environments.
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading functionality that allows remote code execution when a user is tricked into loading a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. There is no current indication of active exploitation in CISA's KEV catalog, and EPSS data was not provided in the intelligence sources.
NVIDIA Megatron-LM contains a critical unsafe deserialization vulnerability (CWE-502) in its hybrid conversion script that allows remote code execution when a user loads a maliciously crafted file. The vulnerability affects NVIDIA Megatron-LM installations and enables attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. With a CVSS score of 7.8 and local attack vector requiring low privileges and no user interaction, this represents a significant risk for organizations using this large language model training framework.
NVIDIA Megatron LM contains an insecure deserialization vulnerability (CWE-502) in its quantization configuration loading mechanism that enables remote code execution. Attackers with local access and low privileges can exploit this flaw to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability has a CVSS score of 7.8 and affects all versions of NVIDIA Megatron LM based on available CPE data.
This vulnerability in NVIDIA's B300 MCU (specifically the CX8 MCU component) allows privileged attackers with network access to modify unsupported hardware registries, potentially causing denial of service and data tampering. The flaw affects HGX and DGX B300 systems and requires high privileges and non-trivial attack complexity to exploit, though no public exploit code or active exploitation has been reported at this time. SSVC assessment indicates the vulnerability presents partial technical impact with no known automated exploitation capability.
NVIDIA SNAP-4 Container contains a buffer size calculation vulnerability in its configuration interface that allows an authenticated attacker on the same virtualized environment to trigger a denial of service condition. An attacker with local VM access and low-level privileges can send specially crafted configuration payloads that cause incorrect buffer size calculations, resulting in crashes of the SNAP storage service and loss of storage availability to the host. There is currently no evidence of active exploitation or public proof-of-concept code, and the SSVC framework indicates no known exploitation has occurred, though the vulnerability is automatable in principle.
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause unexpected memory buffer operations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where an attacker could cause a stack overflow by sending extra-large payloads. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
NVIDIA AIStore contains a vulnerability in AuthN. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA RunAI for all platforms contains a vulnerability where a user could cause an improper restriction of communications channels on an adjacent network. Rated medium severity (CVSS 6.2). No vendor patch available.
NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Allow UD qp_type to join multicast only As for multicast: - The SIDR is the only mode that makes sense; - Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is UD compatible. In this case qkey also needs to be set [1]. This patch allows only UD qp_type to join multicast, and set qkey to default if it's not set, to fix an uninit-value error: the ib->rec.qkey field is accessed without being initialized. ===================================================== BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline] rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814 ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546 ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732 vfs_write+0x8ce/0x2030 fs/read_write.c:588 ksys_write+0x28c/0x520 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Local variable ib.i created at: cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline] rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814 ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ===================================================== [1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. Rated medium severity (CVSS 4.6). No vendor patch available.
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. Rated low severity (CVSS 2.4). No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an unprivileged user can cause a NULL pointer dereference. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment]
Path traversal in NVIDIA BioNeMo Core for Linux allows remote attackers to escape intended directory boundaries when a user is induced to load a malicious file, enabling code execution, information disclosure, data tampering, or denial of service. The flaw carries a high CVSS score of 8.8 driven by network reachability and full CIA impact, though exploitation requires user interaction; no public exploit identified at time of analysis.
Arbitrary code execution in NVIDIA BioNemo Framework on Linux allows a local attacker to abuse unsafe deserialization of untrusted data (CWE-502), leading to code execution, denial of service, information disclosure, and data tampering. The CVSS 7.8 vector indicates local attack vector with required user interaction, and no public exploit has been identified at time of analysis.
Host impersonation and machine-in-the-middle attacks against NVIDIA DGX OS systems are possible because the factory provisioning process clones a base image that ships identical SSH host keys onto every similarly provisioned system, primarily affecting DGX Spark deployments. With a CVSS of 8.1 and a CWE-321 (Use of Hard-Coded Cryptographic Key) root cause, an unauthenticated network attacker who possesses the shared key material from any one device can impersonate peers, potentially leading to code execution, data tampering, privilege escalation, information disclosure, or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unsafe deserialization in NVIDIA TensorRT-LLM's RPC testing component allows a local high-privileged attacker to trigger code execution, denial of service, data tampering, or information disclosure across a changed scope. The flaw is rated CVSS 7.5 despite local-only access and high attack complexity because successful exploitation crosses a security boundary (S:C) and yields full CIA impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Null pointer dereference in NVIDIA TensorRT-LLM across all supported platforms allows a local attacker to crash the application and cause denial of service. The flaw stems from an unchecked return value that is subsequently dereferenced, triggering a fault when the returned pointer is null. With a CVSS score of 5.5 and no public exploit or CISA KEV listing identified at time of analysis, real-world risk is moderate and constrained by the local attack vector and mandatory user interaction.
Deserialization of untrusted data in NVIDIA TensorRT-LLM across all platforms allows a local, low-privileged attacker to achieve code execution, data tampering, and information disclosure by exploiting an unsafe serialized handle. The CVSS Changed Scope (S:C) indicates the impact can extend beyond the vulnerable component itself - notable given TensorRT-LLM's role as an inference serving library often integrated into multi-tenant or production AI infrastructure. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unsafe deserialization in NVIDIA TensorRT-LLM's MPI server component allows a high-privileged local attacker to achieve code execution, denial of service, data tampering, or information disclosure on systems running the affected library. The CVSS 7.5 score reflects high impact but constrained exploitability (AV:L/AC:H/PR:H), and no public exploit identified at time of analysis. Scope change (S:C) indicates compromise can extend beyond the vulnerable component to impact other resources on the host.
Uncontrolled resource consumption in NVIDIA Triton Inference Server's DALI backend allows a network-adjacent, low-privileged attacker to exhaust server resources, resulting in denial of service. The vulnerability (CWE-400) is triggered through the DALI data-loading and augmentation backend, requires low privileges and user interaction, and carries a CVSS score of 5.7 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a monitored-but-not-critical-urgency tier for most deployments.
Integer overflow in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory corruption that may result in code execution, data tampering, or denial of service. The flaw requires low-level privileges plus user interaction (CVSS 8.0, AV:N/AC:L/PR:L/UI:R) and affects deployments exposing the DALI inference pipeline. No public exploit identified at time of analysis.
Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely without authentication via a path traversal flaw (CWE-22), enabling unauthenticated network attackers to disrupt model-serving availability. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis.
Path traversal exploitation in NVIDIA Triton Inference Server enables unauthenticated remote attackers to cause denial of service by submitting crafted requests containing malicious path components. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero authentication or user interaction is required, making this broadly reachable from the network with low attack complexity. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the no-prerequisite attack profile warrants patching per NVIDIA's advisory at nvidia.custhelp.com.
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.
Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix.
Linux kernel's Tegra PMC driver can trigger kernel warnings and potential denial of service during system resume by calling generic_handle_irq() from non-interrupt context. Affects Tegra186 and later platforms running Linux kernel versions prior to 6.19.6 and 7.0. CVSS 5.5 indicates local low-complexity exploitation requiring authenticated access. EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches available via stable kernel tree commits.
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
Server-side request forgery in NVIDIA NemoClaw's validateEndpointUrl() function allows local attackers with user interaction to supply crafted endpoint URLs targeting the 0.0.0.0/8 address range via blueprint configuration files or CLI flags, leading to information disclosure. The vulnerability affects all versions of NemoClaw and requires local access with user interaction to trigger, limiting exposure to systems where untrusted users can modify configuration or invoke CLI commands.
Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). Cross-scope impact (S:C) indicates the attack breaks out of the intended sandbox boundary to access host-level secrets. EPSS and KEV status not available; this appears to be a recently disclosed AI/LLM agent security issue.
NVIDIA Flare SDK is vulnerable to path traversal via improper input validation, allowing authenticated remote attackers to disclose sensitive information. The vulnerability affects all versions of the SDK and requires valid user credentials to exploit, making it a moderate-risk issue for organizations using Flare in multi-user environments. No public exploit code or active exploitation has been identified.
Remote code execution in NVIDIA FLARE SDK allows authenticated attackers to execute arbitrary code by sending maliciously crafted FOBS-encoded messages that exploit unsafe deserialization in the FOBS component. The vulnerability affects federated learning deployments where NVIDIA FLARE SDK processes messages from low-privileged authenticated users, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV) and public exploit status unknown at time of analysis.
Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.
Out-of-bounds read in NVIDIA CUDA-Q endpoint allows remote unauthenticated attackers to crash services and disclose sensitive memory contents via malformed network requests. The vulnerability affects an exposed network endpoint with no authentication barrier (CVSS AV:N/AC:L/PR:N/UI:N), enabling trivial exploitation against internet-facing deployments. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or limited to targeted scenarios.
Authorization bypass in NVIDIA KAI Scheduler allows authenticated network attackers to access protected API endpoints and disclose sensitive information across security boundaries. The vulnerability (CWE-306: Missing Authentication for Critical Function) enables low-privileged authenticated users to read high-value data outside their intended scope (CVSS scope changed to 'C', high confidentiality impact). NVIDIA has published advisory 5818 with remediation guidance. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
NVIDIA KAI Scheduler contains an improper authorization vulnerability allowing authenticated attackers to reference pods across Kubernetes namespaces they do not own, enabling data tampering. The vulnerability requires valid credentials and network access to the scheduler but does not permit confidentiality breaches or denial of service. CVSS 4.3 (low) reflects authenticated access requirement and integrity impact only; no active exploitation or public POC identified.
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Remote denial of service in NVIDIA Triton Inference Server (all versions prior to r26.02) allows unauthenticated attackers to crash the server via malformed requests. The vulnerability has a CVSS score of 7.5 with network-accessible attack vector and low complexity, requiring no privileges or user interaction. EPSS data not provided; no public exploit identified at time of analysis. The issue stems from improper conversion between numeric types (CWE-681), enabling trivial service disruption for ML inference workloads.
Integer overflow in NVIDIA Triton Inference Server allows unauthenticated remote attackers to crash the server through malformed requests, causing denial of service. All versions prior to r26.02 are affected. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS and KEV data not provided; no public exploit identified at time of analysis. Organizations running Triton Inference Server for ML model deployment should prioritize patching to prevent service disruption.
NVIDIA Triton Inference Server prior to r26.02 allows unauthenticated remote attackers to trigger information disclosure and denial of service through malicious model configuration uploads, exploiting a path traversal vulnerability (CWE-22) that enables access to sensitive files outside intended directories. The CVSS 4.8 score reflects moderate risk with high attack complexity, though real-world exploitation likelihood depends on network accessibility to model upload endpoints.
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.
Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.
Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.
Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.
Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.
Information disclosure in NVIDIA Jetson Linux affects Xavier, Orin, and Thor series devices due to the nvluks trusted application remaining enabled in initrd. A local attacker with physical access and low-level privileges can exploit this to read sensitive data from the device, as confirmed by CWE-501 (CLS: Malicious Code Not Included in Executable) indicating improper access control to privileged components. CVSS 5.2 reflects the high confidentiality impact but requires physical attack vector and authenticated access; no public exploit or CISA KEV status reported.
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. According to CISA's SSVC framework, there is currently no evidence of active exploitation in the wild, and the attack is not automatable, though technical impact is rated as total.
NVIDIA NeMo Framework contains a remote code execution vulnerability in its checkpoint loading mechanism caused by insecure deserialization (CWE-502). Attackers with local access and low privileges can exploit this to achieve code execution, privilege escalation, information disclosure, and data tampering with high impact on confidentiality, integrity, and availability. According to SSVC framework, there is currently no observed exploitation in the wild, though the technical impact is rated as total.
NVIDIA Model Optimizer for Windows and Linux contains an unsafe deserialization vulnerability in its ONNX quantization feature that allows attackers to execute arbitrary code by providing a malicious input file. Users who process untrusted ONNX model files are at risk of complete system compromise, including code execution, privilege escalation, data tampering, and information disclosure. There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept availability.
NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.
NVIDIA Triton Inference Server contains a race condition vulnerability (CWE-362) that allows unauthenticated remote attackers to corrupt internal server state, resulting in a denial of service. The vulnerability affects NVIDIA Triton Inference Server across multiple versions and can be exploited over the network with low attack complexity requiring no privileges or user interaction. With a CVSS score of 7.5 (High) and an EPSS score not provided, this represents a significant availability risk for organizations running AI/ML inference workloads.
NVIDIA Triton Inference Server's Sagemaker HTTP server contains a race condition vulnerability that allows unauthenticated remote attackers to trigger an exception, resulting in denial of service. The vulnerability affects NVIDIA Triton Inference Server deployments using the Sagemaker HTTP server component and can be exploited over the network without authentication or user interaction. There is no indication of active exploitation (not in CISA KEV), and EPSS data was not provided, but the CVSS score of 7.5 (High) reflects the ease of exploitation.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading mechanism that allows remote code execution when a user loads a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. The attack requires local access and low privileges but no user interaction once the malicious file is loaded.
NVIDIA Megatron-LM contains an insecure deserialization vulnerability (CWE-502) during model inferencing that allows remote code execution when a user loads a maliciously crafted input file. This vulnerability has a CVSS score of 7.8 and requires local access with low privileges but no user interaction, enabling attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability affects NVIDIA's large language model training framework widely used in AI research and production environments.
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading functionality that allows remote code execution when a user is tricked into loading a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. There is no current indication of active exploitation in CISA's KEV catalog, and EPSS data was not provided in the intelligence sources.
NVIDIA Megatron-LM contains a critical unsafe deserialization vulnerability (CWE-502) in its hybrid conversion script that allows remote code execution when a user loads a maliciously crafted file. The vulnerability affects NVIDIA Megatron-LM installations and enables attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. With a CVSS score of 7.8 and local attack vector requiring low privileges and no user interaction, this represents a significant risk for organizations using this large language model training framework.
NVIDIA Megatron LM contains an insecure deserialization vulnerability (CWE-502) in its quantization configuration loading mechanism that enables remote code execution. Attackers with local access and low privileges can exploit this flaw to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability has a CVSS score of 7.8 and affects all versions of NVIDIA Megatron LM based on available CPE data.
This vulnerability in NVIDIA's B300 MCU (specifically the CX8 MCU component) allows privileged attackers with network access to modify unsupported hardware registries, potentially causing denial of service and data tampering. The flaw affects HGX and DGX B300 systems and requires high privileges and non-trivial attack complexity to exploit, though no public exploit code or active exploitation has been reported at this time. SSVC assessment indicates the vulnerability presents partial technical impact with no known automated exploitation capability.
NVIDIA SNAP-4 Container contains a buffer size calculation vulnerability in its configuration interface that allows an authenticated attacker on the same virtualized environment to trigger a denial of service condition. An attacker with local VM access and low-level privileges can send specially crafted configuration payloads that cause incorrect buffer size calculations, resulting in crashes of the SNAP storage service and loss of storage availability to the host. There is currently no evidence of active exploitation or public proof-of-concept code, and the SSVC framework indicates no known exploitation has occurred, though the vulnerability is automatable in principle.
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause unexpected memory buffer operations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where an attacker could cause a stack overflow by sending extra-large payloads. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
NVIDIA AIStore contains a vulnerability in AuthN. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA RunAI for all platforms contains a vulnerability where a user could cause an improper restriction of communications channels on an adjacent network. Rated medium severity (CVSS 6.2). No vendor patch available.
NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Allow UD qp_type to join multicast only As for multicast: - The SIDR is the only mode that makes sense; - Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is UD compatible. In this case qkey also needs to be set [1]. This patch allows only UD qp_type to join multicast, and set qkey to default if it's not set, to fix an uninit-value error: the ib->rec.qkey field is accessed without being initialized. ===================================================== BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline] rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814 ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546 ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732 vfs_write+0x8ce/0x2030 fs/read_write.c:588 ksys_write+0x28c/0x520 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Local variable ib.i created at: cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline] rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814 ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ===================================================== [1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. Rated medium severity (CVSS 4.6). No vendor patch available.
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. Rated low severity (CVSS 2.4). No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an unprivileged user can cause a NULL pointer dereference. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.