CVE-2026-24163

Vulnerability

Overview

CVE-2026-24163 is an unsafe deserialization vulnerability found in NVIDIA TRT-LLM, a library for optimizing large language model inference. The flaw resides in the RPC testing component, where untrusted data is deserialized without proper validation. This type of weakness typically arises when an application deserializes data from an attacker-controlled source, allowing the attacker to inject malicious objects that can alter program behavior [1].

Exploitation

Scenario

An attacker can exploit this vulnerability by sending specially crafted serialized data to the RPC testing endpoint. No authentication is required if the service is exposed, making it accessible from any network position that can reach the vulnerable service. The attack surface is broadened because TRT-LLM may be deployed in cloud environments or on-premises servers where RPC interfaces are exposed for testing or debugging purposes [1].

Impact

Successful exploitation could lead to arbitrary code execution, denial of service, data tampering, or information disclosure. The exact impact depends on the privileges of the process running TRT-LLM and the context in which the deserialization occurs. Given the high CVSS score of 7.5, this vulnerability poses a significant risk to affected systems [1].

Mitigation

NVIDIA has not yet released a patch or workaround as of the publication date. Users are advised to restrict network access to the RPC testing interface and monitor for updates from NVIDIA. The vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog [1].