Description
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Published: 2026-03-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

NVIDIA Megatron‑LM allows an attacker to supply a maliciously crafted checkpoint file that the application loads without proper validation. When such a checkpoint is imported, code can be executed, potentially leading to privilege escalation, data tampering, or information disclosure. The flaw is identified as CWE‑502, indicating improper handling of encoded input data.

Affected Systems

The vulnerability affects NVIDIA Megatron‑LM. No specific version range is provided, meaning any deployment that uses the checkpoint loading feature is potentially impacted until an updated release is applied. Administrators should verify the SKU and version against vendor advisories to confirm exposure.

Risk and Exploitability

With a CVSS score of 7.8 the flaw is classified as high severity, yet the EPSS score of <1% suggests a low likelihood of exploitation in the near term. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to persuade an authorized user to load the malicious checkpoint or to place the file in a location that the system auto‑loads, implying a local or socially engineered attack vector.

Generated by OpenCVE AI on March 26, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NVIDIA Megatron‑LM release that addresses the checkpoint validation flaw.
  • Restrict checkpoint loading to trusted directories and enforce integrity checks before importing a checkpoint.
  • Avoid loading checkpoint files from untrusted sources or users; where possible, disable automatic external checkpoint loading.
  • Monitor application logs for anomalous command execution or unusual checkpoint load attempts.

Generated by OpenCVE AI on March 26, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Malicious Checkpoint Loading in NVIDIA Megatron-LM

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Malicious Checkpoint Loading in NVIDIA Megatron-LM
CPEs cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia megatron-lm
Vendors & Products Nvidia
Nvidia megatron-lm

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nvidia Megatron-lm
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-03-25T14:27:34.743Z

Reserved: 2026-01-21T19:09:29.850Z

Link: CVE-2026-24152

cve-icon Vulnrichment

Updated: 2026-03-25T14:21:16.108Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T21:16:27.670

Modified: 2026-03-25T21:56:52.887

Link: CVE-2026-24152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:46Z

Weaknesses