CVE-2026-24158 - Vulnerability Details

- Denial of Service via Large Compressed Payload in Triton Inference Server HTTP Endpoint

Description

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service.

Published: 2026-03-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A large compressed payload sent to the HTTP endpoint of NVIDIA Triton Inference Server can cause excessive memory or resource consumption, leading to the service becoming unresponsive and denying legitimate traffic. This resource exhaustion issue is classified under CWE-789 (Uncontrolled Resource Consumption). The result is a denial of service that can affect any application relying on the inference service.

Affected Systems

The vulnerability affects NVIDIA Triton Inference Server. The affected products are those that expose the HTTP endpoint, and while specific vulnerable releases are not listed, it is inferred that any version of Triton that supports the HTTP API may be susceptible.

Risk and Exploitability

The issue carries a CVSS score of 7.5, indicating high severity, but the EPSS rate is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of exploitation at present. The attack vector is remote, via the publicly accessible HTTP interface; an attacker can send an oversized compressed request to trigger resource exhaustion. If exploited, the server may crash or become unresponsive, leading to service disruption until it is manually restarted or patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NVIDIA

Triton Inference Server

unaffected

Version	Status	Constraints
`All versions prior to 26.01`	affected	—

Configuration 1 [-]

cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nvidia

Triton Inference Server

100%

Version	Status	Scheme	Platform
`[0,26.01)`	affected	generic	['all']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check whether NVIDIA Triton Inference Server is deployed in your environment
Restrict access to the HTTP endpoint to trusted networks or IP ranges
Apply any official NVIDIA patch or update as soon as it is released
If no patch is available, disable the HTTP endpoint or restart the service during maintenance windows to mitigate temporary impact
Monitor server logs for unusually large compressed requests and set alerts for potential abuse

Generated by OpenCVE AI on March 31, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00062.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-24158
https://nvidia.custhelp.com/app/answers/detail/a_id/5790
https://www.cve.org/CVERecord?id=CVE-2026-24158

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title	Denial of Service via Large Compressed Payload in Triton Inference Server HTTP Endpoint

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:nvidia:triton_inference_server::::::::

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Large Compressed Payload in Triton Inference Server HTTP Endpoint

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nvidia Nvidia triton Inference Server
Vendors & Products		Nvidia Nvidia triton Inference Server

Tue, 24 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service.
Weaknesses		CWE-789
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24158 https://nvidia.custhelp.com/app/answers/detail/a_id/5790 https://www.cve.org/CVERecord?id=CVE-2026-24158
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Nvidia Triton Inference Server

MITRE

Status: PUBLISHED

Assigner: nvidia

Published: 2026-03-24T20:26:28.640Z

Updated: 2026-03-25T14:27:11.988Z

Reserved: 2026-01-21T19:09:29.851Z

Link: CVE-2026-24158

Vulnrichment

Updated: 2026-03-25T14:24:14.793Z

NVD

Status : Analyzed

Published: 2026-03-24T21:16:27.997

Modified: 2026-03-31T01:29:00.970

Link: CVE-2026-24158

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:09:20Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object