PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24209 NVIDIA CVE debrief

CVE-2026-24209 is a network-reachable path traversal issue in NVIDIA Triton Inference Server. According to the vendor and NVD records, a successful exploit could lead to denial of service. The issue was published on 2026-05-20 and is mapped to CWE-22, with an availability-only impact profile.

Vendor
NVIDIA
Product
Triton Inference Server
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Operators, developers, and security teams running NVIDIA Triton Inference Server—especially services exposed to untrusted networks—should treat this as a high-priority availability issue. Environments that depend on inference availability for customer-facing or production workloads should review exposure promptly.

Technical summary

NVD lists the vulnerability as CVE-2026-24209 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable flaw requiring no privileges or user interaction and impacting availability only. The recorded weakness is CWE-22 (path traversal). The NVD CPE entry identifies affected NVIDIA Triton Inference Server versions prior to 26.03, and the vendor advisory is the primary source referenced in the record.

Defensive priority

High for exposed Triton deployments. Because the issue is remotely reachable and requires no privileges or user interaction, it should be prioritized ahead of lower-impact maintenance items, especially where service uptime is critical.

Recommended defensive actions

  • Review whether NVIDIA Triton Inference Server is deployed in your environment and whether any instances are reachable from untrusted networks.
  • Upgrade to a fixed release at or beyond the vendor's non-vulnerable boundary shown in the record (26.03).
  • If immediate upgrading is not possible, restrict network exposure to trusted management or application paths only.
  • Monitor service availability and logs for abnormal requests or unexplained service interruptions affecting Triton endpoints.
  • Confirm remediation against the official NVIDIA advisory and the NVD record before closing the issue.

Evidence notes

This debrief is based only on the supplied NVD record and the linked official references. The NVD metadata states vulnStatus 'Analyzed', CWE-22, CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a vulnerable CPE range for nvidia:triton_inference_server ending before 26.03. The record cites an NVIDIA vendor advisory and CVE.org entry as official references.

Official resources

Published 2026-05-20 04:16:46 UTC; modified 2026-05-20 17:22:25 UTC. No KEV date was supplied.