Skip to main content

Nvidia

Vendor security scorecard – 94 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 350
94
CVEs
8
Critical
60
High
0
KEV
2
PoC
57
Unpatched C/H
21.3%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
8
HIGH
60
MEDIUM
26
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-24207 Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV. CRITICAL 9.8 0.1% 69
PoC No patch
CVE-2026-41512 Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix. CRITICAL 9.9 0.2% 50
CVE-2026-24178 Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis. CRITICAL 9.8 0.1% 49
CVE-2026-24270 Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. CRITICAL 9.8 0.8% 49
No patch
CVE-2026-55447 Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV. CRITICAL 9.6 0.3% 48
CVE-2026-53805 Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path. CRITICAL 9.3 0.7% 47
CVE-2026-62239 Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1. MEDIUM 5.3 0.1% 46
PoC
CVE-2025-23350 Out-of-bounds write in the command interface of NVIDIA ConnectX network adapters and BlueField DPUs allows a local user holding an assigned virtual function (VF) to corrupt device memory via crafted input, potentially achieving arbitrary code execution on the device itself. Because the flaw sits at the firmware command interface reachable from a SR-IOV guest, a successful exploit crosses the guest/device trust boundary (CVSS scope-changed, base 9.0) and can compromise the host that owns the adapter. This is a vendor-reported issue with no public exploit identified at time of analysis and no CISA KEV listing. CRITICAL 9.0 0.3% 45
No patch
CVE-2025-23351 Out-of-bounds write in the command interface of NVIDIA ConnectX SmartNICs and BlueField DPUs allows a local user holding virtual function (VF) access - typically a tenant inside a guest VM - to corrupt device memory via crafted input and potentially achieve arbitrary code execution on the network device itself. Because the CVSS scope is Changed (S:C), a successful exploit crosses the VF isolation boundary and threatens the host and other tenants, making this a serious multi-tenant/cloud isolation-breakout risk. There is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 9.0 0.3% 45
No patch
CVE-2026-24217 Path traversal in NVIDIA BioNeMo Core for Linux allows remote attackers to escape intended directory boundaries when a user is induced to load a malicious file, enabling code execution, information disclosure, data tampering, or denial of service. The flaw carries a high CVSS score of 8.8 driven by network reachability and full CIA impact, though exploitation requires user interaction; no public exploit identified at time of analysis. HIGH 8.8 0.1% 44
No patch
CVE-2026-24186 Remote code execution in NVIDIA FLARE SDK allows authenticated attackers to execute arbitrary code by sending maliciously crafted FOBS-encoded messages that exploit unsafe deserialization in the FOBS component. The vulnerability affects federated learning deployments where NVIDIA FLARE SDK processes messages from low-privileged authenticated users, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV) and public exploit status unknown at time of analysis. HIGH 8.8 0.1% 44
No patch
CVE-2026-24187 Local privilege escalation and code execution in the NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest/Manager components) stems from a use-after-free memory corruption flaw (CWE-416) that a local low-privileged user can trigger to compromise the kernel-level driver. The scope-changed CVSS 8.8 score reflects that successful exploitation crosses a trust boundary, potentially yielding code execution, privilege escalation, information disclosure, data tampering, or denial of service. EPSS is 0.01% (1st percentile) and there is no public exploit identified at time of analysis, but a vendor patch is available across all affected branches. HIGH 8.8 0.0% 44
CVE-2026-24222 Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). Cross-scope impact (S:C) indicates the attack breaks out of the intended sandbox boundary to access host-level secrets. EPSS and KEV status not available; this appears to be a recently disclosed AI/LLM agent security issue. HIGH 8.6 0.0% 43
No patch
CVE-2026-24260 Privilege escalation and container escape in NVIDIA Container Toolkit for Linux (and the GPU Operator that bundles it) stem from a time-of-check to time-of-use (TOCTOU) race condition that can lead to arbitrary code execution, privilege escalation, and data tampering across a scope boundary. A low-privileged attacker who can win the race may break out of the intended isolation boundary of GPU-enabled containers. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; NVIDIA is the reporting source via its product-security advisory 5850. HIGH 8.5 0.5% 42
No patch
CVE-2026-24233 Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. HIGH 8.4 0.3% 42
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy