CVE-2026-24208 NVIDIA CVE debrief

Who should care

Security teams and operators running NVIDIA Triton Inference Server, especially if the service is reachable over the network or exposed in production ML inference environments.

Technical summary

Official NVD data describes the flaw as a path traversal issue in NVIDIA Triton Inference Server. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3, Medium), indicating a remotely reachable issue with low attack complexity and an availability impact. NVD CPE criteria mark nvidia:triton_inference_server versions with endExcluding 26.03 as vulnerable; the Linux kernel CPE entry in the same record is marked not vulnerable.

Defensive priority

Medium priority. Treat as higher urgency if Triton Inference Server is internet-facing, multi-tenant, or business-critical.

Recommended defensive actions

• Confirm whether any environment runs NVIDIA Triton Inference Server.
• Check deployed Triton versions and compare them with the NVD affected range (versions before 26.03).
• Apply the vendor fix or upgrade to a non-vulnerable release per NVIDIA guidance.
• Use the NVIDIA advisory and CVE/NVD records as the authoritative reference for remediation timing and scope.
• After remediation, verify service availability and review logs for unexpected path-related request failures or instability.

Evidence notes

This debrief is based only on official sources in the supplied corpus: NVD, CVE.org, and the NVIDIA PSIRT advisory referenced by NVD. The NVD record is marked VulnStatus: Analyzed, published 2026-05-20T04:16:46.177Z and modified 2026-05-20T17:29:44.640Z. NVD lists the weakness as CWE-22 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The affected CPE criteria identify NVIDIA Triton Inference Server as vulnerable before 26.03.

Official resources