Description
NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Published: 2026-03-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

NVIDIA Megatron‑LM includes a vulnerability in its hybrid conversion script that allows an attacker to execute arbitrary code by tricking a user into loading a specially crafted file. The flaw can enable not only code execution but also privilege escalation, data disclosure, and tampering, compromising both confidentiality and integrity of the system.

Affected Systems

This issue affects NVIDIA Megatron‑LM products. All versions of the Megatron‑LM hybrid conversion script that have not applied the vendor’s security update are vulnerable; specific affected releases are not enumerated in the available data.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to persuade a user to run the malicious file, after which the script would deserialize the payload and execute it, exploiting a deserialization flaw (CWE‑502).

Generated by OpenCVE AI on March 26, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NVIDIA Megatron‑LM security patch to the hybrid conversion script as soon as it becomes available.
  • If a patch is not yet available, disable or remove the hybrid conversion script from your environment to prevent execution of untrusted files.
  • Monitor your systems for the presence of suspicious input files or attempts to trigger the conversion process.
  • Keep a close eye on NVIDIA support channels or the referenced advisories for further updates or work‑arounds.

Generated by OpenCVE AI on March 26, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Deserialization Vulnerability in NVIDIA Megatron‑LM Hybrid Conversion Script Enabling Remote Code Execution

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Deserialization Vulnerability in NVIDIA Megatron‑LM Hybrid Conversion Script Enabling Remote Code Execution
CPEs cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia megatron-lm
Vendors & Products Nvidia
Nvidia megatron-lm

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nvidia Megatron-lm
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-03-25T14:27:54.572Z

Reserved: 2025-04-15T18:51:08.847Z

Link: CVE-2025-33248

cve-icon Vulnrichment

Updated: 2026-03-25T14:02:37.320Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T21:16:24.767

Modified: 2026-03-25T21:58:36.280

Link: CVE-2025-33248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:49Z

Weaknesses