CVE-2026-24162

Vulnerability

NVIDIA Transformers4Rec for Linux contains a vulnerability involving improper deserialization of untrusted data [1]. This issue affects the library's handling of serialized objects, where an attacker can supply malicious serialized data that the application deserializes without proper sanitization. The exact affected versions are not detailed in the available references, but the vulnerability exists within the Linux build of Transformers4Rec [1].

Exploitation

An attacker with network access to a system running the vulnerable Transformers4Rec library can craft a malicious serialized object and deliver it to the application, for example by uploading a file or sending it over a network protocol [1]. No user interaction beyond the server processing the provided data is required. The attacker does not need prior authentication if the deserialization endpoint is publicly accessible [1].

Impact

Successful exploitation of this vulnerability could allow the attacker to achieve arbitrary code execution on the affected system, tamper with data handled by Transformers4Rec, and disclose sensitive information processed by the library [1]. The attacker may gain full control over the application's process, with privileges equivalent to those of the running service.

Mitigation

Not yet disclosed in the available references [1]. Users should monitor NVIDIA's security advisories for a patched version of Transformers4Rec. No workaround is provided in the current advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.