CVE-2026-24160 NVIDIA CVE debrief

Who should care

Administrators, developers, and security teams running NVIDIA TRT-LLM in production or test environments should review this issue, especially if they are on versions earlier than 1.2. Service owners who depend on inference availability should treat crash resilience as a priority.

Technical summary

The official record identifies the weakness as CWE-690 (unchecked return value) and provides a CVSS 3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerable CPE range covers nvidia:tensorrt_llm versions ending before 1.2. If the vulnerable code path is reached, the resulting null pointer dereference can disrupt availability rather than confidentiality or integrity.

Defensive priority

Medium

Recommended defensive actions

• Review NVIDIA PSIRT guidance for CVE-2026-24160 and confirm whether your deployment uses NVIDIA TRT-LLM.
• Inventory installed TRT-LLM versions and identify any instance earlier than 1.2.
• Upgrade to a fixed release at or after 1.2 if you are affected.
• Validate service behavior after updating, with attention to crashes or unexpected shutdowns.
• Monitor affected systems for application failures that could indicate denial-of-service conditions.
• Coordinate remediation through normal change management for production inference workloads.

Evidence notes

This debrief is based only on the supplied official metadata: the NVD record, the CVE record, and the NVIDIA vendor advisory reference. The source corpus states the weakness is CWE-690, the CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and the vulnerable CPE range ends before version 1.2. The supplied corpus does not include the text of the vendor advisory itself, and the issue is not marked as a CISA KEV item.

Official resources