Description
NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may cause an RCE by convincing a user to load a maliciously crafted input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Published: 2026-03-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a flaw in the inference logic of NVIDIA Megatron‑LM that permits an attacker to craft an input that, when processed, triggers execution of arbitrary code. This flaw is tied to deserialization of user input (CWE‑502). If exploited, the attacker can run arbitrary code, potentially escalating privileges, leaking sensitive data or altering model outputs.

Affected Systems

All deployments of NVIDIA Megatron‑LM are potentially affected; the CNA does not list specific versions, so every instance of the inference component should be considered at risk until a vendor update is released.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The path to exploitation is inferred: an attacker must persuade a user or otherwise deliver a maliciously crafted input to the inference service, implying a social‑engineering or compromised‑local‑access vector. With these conditions met, the vulnerability can result in remote code execution and associated impacts.

Generated by OpenCVE AI on March 26, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check NVIDIA’s website or security advisories for an official patch or update addressing this vulnerability.
  • If a patch is available, apply it to all instances of NVIDIA Megatron‑LM as soon as possible.
  • Restrict access to the inference service to trusted users only and avoid loading inputs from untrusted sources.
  • Implement additional input validation, sanitization, or sandboxing mechanisms to mitigate the risk of malicious payloads.
  • Monitor system logs and behavior for signs of exploitation or unusual activity.

Generated by OpenCVE AI on March 26, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Malicious Input in NVIDIA Megatron‑LM Inference

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Malicious Input in NVIDIA Megatron‑LM Inference
CPEs cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia megatron-lm
Vendors & Products Nvidia
Nvidia megatron-lm

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may cause an RCE by convincing a user to load a maliciously crafted input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nvidia Megatron-lm
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-03-25T14:27:43.000Z

Reserved: 2026-01-21T19:09:29.850Z

Link: CVE-2026-24151

cve-icon Vulnrichment

Updated: 2026-03-25T14:20:17.372Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T21:16:27.517

Modified: 2026-03-25T21:57:49.383

Link: CVE-2026-24151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:47Z

Weaknesses