PatchSiren cyber security CVE debrief
CVE-2026-24162 NVIDIA CVE debrief
CVE-2026-24162 is a HIGH severity vulnerability (CVSS 7.8) in NVIDIA Transformers4Rec for Linux, published on 2026-05-26. The vulnerability stems from improper deserialization of untrusted data (CWE-502), which could allow an attacker to achieve code execution, data tampering, and information disclosure. The attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). The vulnerability affects confidentiality, integrity, and availability at HIGH levels. NVIDIA has published a security bulletin addressing this issue. Organizations using Transformers4Rec on Linux should review NVIDIA's guidance and apply available patches or mitigations.
- Vendor
- NVIDIA
- Product
- Merlin Transformers4Rec
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running NVIDIA Transformers4Rec on Linux systems, particularly those processing untrusted or external data. Data science and ML engineering teams using Transformers4Rec for recommendation systems should prioritize assessment.
Technical summary
The vulnerability exists in NVIDIA Transformers4Rec for Linux due to improper handling of deserialized data. When untrusted data is deserialized without adequate validation, attackers can manipulate object instantiation to execute arbitrary code, modify data, or extract sensitive information. The local attack vector suggests exploitation requires some form of local access or user-triggered action, such as opening a malicious file or processing crafted input through the application.
Defensive priority
HIGH
Recommended defensive actions
- Review NVIDIA security bulletin for patch availability and version guidance
- Identify Linux systems running NVIDIA Transformers4Rec
- Apply security updates from NVIDIA when available
- Implement input validation and sanitization for serialized data handling
- Monitor for anomalous process execution in Transformers4Rec environments
- Restrict access to Transformers4Rec configurations and data files
- Consider network segmentation for systems processing untrusted data
Evidence notes
Vulnerability confirmed via NVD entry with CVSS 3.1 vector. CWE-502 (Deserialization of Untrusted Data) identified as root cause. NVIDIA PSIRT provided official references.
Official resources
-
CVE-2026-24162 CVE record
CVE.org
-
CVE-2026-24162 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26