Skip to main content

Nvidia

Vendor security scorecard – 45 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 200
45
CVEs
5
Critical
30
High
0
KEV
1
PoC
33
Unpatched C/H
6.7%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
5
HIGH
30
MEDIUM
10
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-24270 Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. CRITICAL 9.8 0.8% 49
No patch
CVE-2026-55447 Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV. CRITICAL 9.6 0.3% 48
CVE-2026-53805 Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path. CRITICAL 9.3 0.7% 47
CVE-2026-62239 Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1. MEDIUM 5.3 0.1% 47
PoC
CVE-2025-23350 Out-of-bounds write in the command interface of NVIDIA ConnectX network adapters and BlueField DPUs allows a local user holding an assigned virtual function (VF) to corrupt device memory via crafted input, potentially achieving arbitrary code execution on the device itself. Because the flaw sits at the firmware command interface reachable from a SR-IOV guest, a successful exploit crosses the guest/device trust boundary (CVSS scope-changed, base 9.0) and can compromise the host that owns the adapter. This is a vendor-reported issue with no public exploit identified at time of analysis and no CISA KEV listing. CRITICAL 9.0 0.3% 45
No patch
CVE-2025-23351 Out-of-bounds write in the command interface of NVIDIA ConnectX SmartNICs and BlueField DPUs allows a local user holding virtual function (VF) access - typically a tenant inside a guest VM - to corrupt device memory via crafted input and potentially achieve arbitrary code execution on the network device itself. Because the CVSS scope is Changed (S:C), a successful exploit crosses the VF isolation boundary and threatens the host and other tenants, making this a serious multi-tenant/cloud isolation-breakout risk. There is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 9.0 0.3% 45
No patch
CVE-2026-24260 Privilege escalation and container escape in NVIDIA Container Toolkit for Linux (and the GPU Operator that bundles it) stem from a time-of-check to time-of-use (TOCTOU) race condition that can lead to arbitrary code execution, privilege escalation, and data tampering across a scope boundary. A low-privileged attacker who can win the race may break out of the intended isolation boundary of GPU-enabled containers. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; NVIDIA is the reporting source via its product-security advisory 5850. HIGH 8.5 0.5% 42
No patch
CVE-2026-24233 Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. HIGH 8.4 0.3% 42
No patch
CVE-2026-47472 Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 7.8 0.2% 39
No patch
CVE-2026-24243 Arbitrary code execution in NVIDIA Megatron Bridge (all versions per the NVIDIA advisory) arises from unsafe deserialization of untrusted data (CWE-502), where an attacker supplies a crafted serialized object — typically a malicious model checkpoint or configuration artifact — that a user loads locally, yielding code execution, privilege escalation, data tampering, and information disclosure. The CVSS 3.1 base score is 7.8 (High) with a local vector requiring user interaction (AV:L/UI:R) and no attacker privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided. HIGH 7.8 0.2% 39
No patch
CVE-2026-24248 Arbitrary code execution in NVIDIA Megatron Bridge for Linux stems from improper control of code generation (CWE-94), allowing an attacker who convinces a user to process a malicious artifact to run code in the context of the training/inference workload. Successful exploitation can escalate privileges, tamper with data, and disclose information. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 3.1 vector (AV:L/UI:R) indicates local access with user interaction is required. HIGH 7.8 0.2% 39
No patch
CVE-2026-24246 Arbitrary code execution in NVIDIA Megatron Bridge on Linux arises from unsafe reflection (CWE-470), where externally-controlled input selects which classes or code resources are dynamically loaded. A local attacker who convinces a user to load a crafted artifact (e.g., a malicious model, checkpoint, or configuration) can trigger code execution, privilege escalation, data tampering, and information disclosure. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. HIGH 7.8 0.2% 39
No patch
CVE-2026-24247 Insecure deserialization in NVIDIA Megatron Bridge for Linux (CWE-502) lets an attacker who supplies a crafted serialized object achieve code execution, privilege escalation, data tampering, and information disclosure when a local user loads that data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows the attack is local and hinges on the victim opening attacker-controlled content, with no public exploit identified at time of analysis. Megatron Bridge is a specialized NVIDIA library for bridging large-language-model training frameworks, so exposure is concentrated in ML/AI training and research environments rather than general enterprise fleets. HIGH 7.8 0.2% 39
No patch
CVE-2026-24240 Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux (CWE-502) can lead to arbitrary code execution, privilege escalation, data tampering, and information disclosure when a user loads attacker-controlled data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) indicates a local attack requiring the victim to open or process a malicious artifact — consistent with unsafe deserialization of a model checkpoint, config, or serialized object. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided. HIGH 7.8 0.2% 39
No patch
CVE-2026-24249 Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve code execution, privilege escalation, data tampering, and information disclosure. Megatron Bridge is NVIDIA's model-interoperability tooling used to convert and load large-language-model checkpoints in the Megatron/PyTorch training stack, where unsafe object deserialization (CWE-94) lets attacker-controlled serialized data run arbitrary code in the process context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 (High) rating with full C/I/A impact makes it a meaningful risk on shared or multi-tenant ML infrastructure. HIGH 7.8 0.2% 39
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy