CVE-2026-24142

Vulnerability

Analysis

CVE-2026-24142 affects NVIDIA TRT-LLM across all platforms. The vulnerability stems from a deserialization flaw combined with an unsafe serialized handle. These issues together allow an attacker to manipulate serialized data in a way that triggers unintended behavior during deserialization [1].

Exploitation

The attack surface is broad given the cross-platform nature of TRT-LLM. Exploitation requires the ability to supply crafted serialized data to the affected component. While specific network position or authentication requirements are not detailed in the available references, deserialization vulnerabilities typically require no privileged access if the attacker can deliver the payload through a supported input channel [1].

Impact

Successful exploitation can lead to code execution, data tampering, and information disclosure. The CVSS v3 base score of 6.3 (Medium) reflects a moderate severity, but the potential for arbitrary code execution makes this a serious concern for environments where TRT-LLM processes untrusted serialized data [1].

Mitigation

At the time of publication (May 20, 2026), no specific patch or workaround has been publicly detailed. Organizations using NVIDIA TRT-LLM should monitor NVIDIA's security advisories for updates and restrict access to serialized data inputs where possible. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].