Description
NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and unsafe serialized handle. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Published: 2026-05-20
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the use of unsafe serialized handles within NVIDIA TensorRT-LLM. The deserialization flaw, identified as CWE‑502, allows a malicious payload to be processed during model loading or inference, potentially resulting in arbitrary code execution, data tampering, and the disclosure of sensitive information. The affected library is available on any platform that supports TensorRT-LLM, meaning the flaw is not limited to a single operating system or architecture.

Affected Systems

The flaw affects NVIDIA TensorRT‑LLM environments. No specific product version information is listed in this advisory, but the vulnerability applies to any installation of TensorRT‑LLM that processes serialized data.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the EPSS score is not provided, making precise exploitation likelihood uncertain. The vulnerability is not currently flagged in CISA’s KEV catalog. Based on the nature of unsafe deserialization, it is likely that an attacker who can supply or influence serialized input—whether through a user‑controlled file, network message, or remote API—can induce the library to execute arbitrary code. The attack may be local if the library runs with elevated privileges or remote if it is exposed by an application that accepts untrusted data.

Generated by OpenCVE AI on May 20, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NVIDIA TensorRT-LLM to the latest release that includes the deserialization fix
  • Disable or remove functionality that accepts unchecked serialized input, such as custom model loading or legacy handle ingestion
  • Validate all serialized data before processing or execute it within a restricted sandbox environment
  • Monitor system logs for failed deserialization attempts and anomalous execution patterns

Generated by OpenCVE AI on May 20, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia tensorrt-llm
Vendors & Products Nvidia
Nvidia tensorrt-llm

Wed, 20 May 2026 04:45:00 +0000

Type Values Removed Values Added
Title Deserialization Vulnerability in NVIDIA TensorRT-LLM Leading to Code Execution

Wed, 20 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and unsafe serialized handle. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Nvidia Tensorrt-llm
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-05-20T15:44:57.545Z

Reserved: 2026-01-21T19:09:27.437Z

Link: CVE-2026-24142

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T04:16:44.993

Modified: 2026-05-20T13:57:15.740

Link: CVE-2026-24142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:01Z

Weaknesses