PatchSiren cyber security CVE debrief
CVE-2026-24142 NVIDIA CVE debrief
CVE-2026-24142 is a medium-severity NVIDIA TensorRT-LLM vulnerability involving unsafe deserialization and an unsafe serialized handle. According to the supplied NVD record, a successful exploit may lead to code execution, data tampering, and information disclosure. The issue is scoped to TensorRT-LLM versions prior to 1.2 in the provided CPE criteria and is rated CVSS 6.3.
- Vendor
- NVIDIA
- Product
- TensorRT-LLM
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Teams running NVIDIA TensorRT-LLM, especially operators of shared model-serving environments and developers or integrators that process serialized TensorRT-LLM data. Organizations using versions before 1.2 should treat this as a real security maintenance item because the flaw can affect confidentiality, integrity, and availability.
Technical summary
The supplied record identifies CWE-502 (deserialization of untrusted data) and an unsafe serialized handle in NVIDIA TensorRT-LLM. NVD’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, indicating a local attack requiring low privileges and no user interaction, with scope change and low impact across confidentiality, integrity, and availability. The NVD CPE criteria mark nvidia:tensorrt_llm versions earlier than 1.2 as vulnerable.
Defensive priority
Medium. Prioritize remediation for any environment that allows lower-privileged users, plugins, jobs, or pipelines to reach TensorRT-LLM deserialization paths or serialized artifacts. Even though the CVSS score is moderate, the outcome can include code execution and data compromise.
Recommended defensive actions
- Upgrade NVIDIA TensorRT-LLM to a fixed release at or above version 1.2, if available from NVIDIA.
- Restrict access to any deserialization or serialized-handle ingestion paths to trusted, authenticated operators only.
- Avoid accepting serialized TensorRT-LLM artifacts from untrusted or partially trusted sources.
- Review deployment and job permissions so low-privilege local users cannot reach sensitive TensorRT-LLM processing paths.
- Monitor NVIDIA’s advisory and the official CVE/NVD records for any updated mitigation guidance or revised affected-version details.
Evidence notes
All claims in this debrief are drawn from the supplied official records: the CVE description, the NVD metadata, and the linked official references. The corpus identifies CWE-502, CVSS 6.3 with vector AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, and vulnerable TensorRT-LLM CPE criteria ending before 1.2. No exploit steps or unverified mitigation details are included.
Official resources
-
CVE-2026-24142 CVE record
CVE.org
-
CVE-2026-24142 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-24142 was published on 2026-05-20 and modified on 2026-05-21 in the supplied records. NVD marks the vulnerability as analyzed. No KEV entry is present in the provided timeline data.