PatchSiren cyber security CVE debrief
CVE-2026-24163 NVIDIA CVE debrief
CVE-2026-24163 is a HIGH-severity NVIDIA TensorRT-LLM issue caused by unsafe deserialization in RPC testing. The published NVD data ties the flaw to CWE-502 and indicates vulnerable TensorRT-LLM versions ending before 1.2. If exploited, the impact can include code execution, denial of service, data tampering, and information disclosure.
- Vendor
- NVIDIA
- Product
- TensorRT-LLM
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Teams operating NVIDIA TensorRT-LLM deployments, especially administrators and developers who use RPC testing workflows or run older builds. Security teams should pay particular attention where privileged local access is available or where test tooling is present on production-adjacent hosts.
Technical summary
The CVE was published on 2026-05-20 and the official records identify an unsafe deserialization weakness in TensorRT-LLM RPC testing. NVD classifies the issue as CWE-502 and rates it CVSS 3.1 7.5 HIGH with vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating local access and high privileges are required for exploitation. The vulnerable CPE entry covers nvidia:tensorrt_llm versions before 1.2, and NVIDIA’s PSIRT advisory is listed as the vendor remediation reference.
Defensive priority
High priority for any environment running TensorRT-LLM versions before 1.2, but especially where privileged local users, shared systems, or RPC testing infrastructure are present. Because exploitation requires local access and high privileges, patching and access control hardening should be prioritized alongside exposure reduction.
Recommended defensive actions
- Inventory NVIDIA TensorRT-LLM installations and confirm whether any deployment is earlier than version 1.2.
- Follow NVIDIA PSIRT guidance in advisory 5805 and upgrade or otherwise remediate to a fixed release when available.
- Restrict access to RPC testing functionality and remove unnecessary test tooling from production or shared systems.
- Limit privileged local access on affected hosts and reduce the number of users or services that can interact with TensorRT-LLM testing paths.
- Review logs and host activity for unusual local activity or errors associated with deserialization and RPC test processing.
- If immediate remediation is not possible, isolate affected systems and minimize trust in externally supplied or untrusted RPC test inputs.
Evidence notes
The source corpus states that NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing that could cause unsafe deserialization. NVD metadata maps the weakness to CWE-502 and provides the CVSS 3.1 vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerable CPE criterion specifies cpe:2.3:a:nvidia:tensorrt_llm:*:*:*:*:*:*:*:* with versionEndExcluding 1.2, and the supplied references include the NVD detail page, the CVE.org record, and NVIDIA’s vendor advisory.
Official resources
-
CVE-2026-24163 CVE record
CVE.org
-
CVE-2026-24163 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2026-05-20 in the NVIDIA PSIRT/NVD/CVE records provided in the source corpus. No KEV listing was supplied.