CVE-2026-24150 - Vulnerability Details

Description

NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Published: 2026-03-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

NVIDIA Megatron‑LM contains a flaw that allows an attacker to cause remote code execution by persuading a user to load a maliciously crafted checkpoint file. The vulnerability can lead to code execution, privilege escalation, information disclosure and data tampering. The weakness stems from inadequate validation of checkpoint data during the loading process, identified as CWE‑502.

Affected Systems

The vulnerability affects NVIDIA Megatron‑LM. No specific version range is listed in the public data, so all deployed installations of Megatron‑LM should be reviewed for the presence of the exploited flaw until the vendor issues a fix.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, but the exploit probability is low (EPSS < 1 %) and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because the attack requires an attacker to convince a user to load a malicious checkpoint, the likely vector is social engineering or user‑initiated file loading. In environments where checkpoint files are routinely loaded from untrusted sources, the risk rises, but in tightly controlled settings the chance of exploitation remains modest.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NVIDIA

Megatron LM

unaffected

Version	Status	Constraints
`All versions prior to 0.15.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nvidia

Megatron-lm

100%

Version	Status	Scheme	Platform
`[0,0.15.3)`	affected	semver	['all_platforms']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied patch for NVIDIA Megatron‑LM or upgrade to the latest released version that addresses the checkpoint loading flaw.
Validate checkpoint files with checksums or digital signatures before loading to ensure integrity and authenticity.
Restrict checkpoint loading to trusted directories and remove the ability to load from user‑controlled locations if possible.
Educate users and administrators about the dangers of loading unknown checkpoint files and enforce strict handling procedures.

Generated by OpenCVE AI on March 26, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-24150
https://nvidia.custhelp.com/app/answers/detail/a_id/5769
https://www.cve.org/CVERecord?id=CVE-2026-24150

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Title	Remote Code Execution via Malicious Checkpoint Loading in NVIDIA Megatron‑LM

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Malicious Checkpoint Loading in NVIDIA Megatron‑LM
CPEs		cpe:2.3:a:nvidia:megatron-lm::::::::

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nvidia Nvidia megatron-lm
Vendors & Products		Nvidia Nvidia megatron-lm

Tue, 24 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Weaknesses		CWE-502
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24150 https://nvidia.custhelp.com/app/answers/detail/a_id/5769 https://www.cve.org/CVERecord?id=CVE-2026-24150
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Nvidia Megatron-lm

MITRE

Status: PUBLISHED

Assigner: nvidia

Published: 2026-03-24T20:24:24.471Z

Updated: 2026-03-25T14:27:48.213Z

Reserved: 2026-01-21T19:09:27.438Z

Link: CVE-2026-24150

Vulnrichment

Updated: 2026-03-25T14:19:56.987Z

NVD

Status : Analyzed

Published: 2026-03-24T21:16:27.357

Modified: 2026-03-25T21:58:12.560

Link: CVE-2026-24150

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:18:48Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object