CVE-2026-24149

Vulnerability

Overview

CVE-2026-24149 is a code injection vulnerability found in a script within NVIDIA Megatron-LM, a framework for large language model training. The vulnerability arises when the script processes maliciously crafted data provided by an attacker. The root cause is insufficient sanitization or validation of input data, allowing an attacker to inject arbitrary code into the execution flow [1].

Exploitation

An attacker can exploit this vulnerability by supplying specially crafted data to the vulnerable script. The attack does not require authentication if the script is accessible to unauthenticated users, but the specific attack vector depends on how the script is exposed (e.g., via a network service or local file processing). Successful exploitation requires the attacker to deliver the malicious data to the script, which then processes it without proper safeguards [1].

Impact

A successful exploit can lead to arbitrary code execution, privilege escalation, information disclosure, and data tampering. This means an attacker could gain full control over the affected system, access sensitive data, modify or destroy data, or disrupt operations. The CVSS v3 base score is 7.8 (High), reflecting the serious consequences of exploitation [1].

Mitigation

NVIDIA has not yet released a patch or workaround as of the publication date (2026-02-03). Users are advised to monitor NVIDIA's security advisories for updates and to restrict access to the vulnerable script where possible. No known exploited vulnerabilities (KEV) status is not available [1].