Description
NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Published: 2026-05-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NVIDIA Transformers4Rec for Linux contains a flaw that allows attackers to submit crafted data during deserialization, potentially enabling code execution, data tampering, or information disclosure; this flaw is identified as CWE‑502, reflecting unsafe handling of serialized data.

Affected Systems

The affected product is NVIDIA Merlin Transformers4Rec for Linux. The CNA list does not specify affected versions, so one must assume that all existing releases could be vulnerable until an official fix is released.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity. EPSS data is unavailable, and the issue is not listed in CISA KEV, suggesting no confirmed public exploitation to date. The likely attack vector is the ingestion of untrusted data, which could occur via network or local input channels; attackers who can supply such data could exploit the deserialization flaw to execute arbitrary code and compromise confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 26, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check NVIDIA’s support portal or download center for an officially released update or patch for Transformers4Rec.
  • Apply the latest available patch or upgrade to the newest stable release of the product.
  • If a patch is not immediately available, restrict access to the data ingestion interface so that only trusted applications can provide input to the deserialization component.
  • Implement network segmentation or firewall rules to limit exposure of the service to potential attackers.

Generated by OpenCVE AI on May 26, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Nvidia transformers4rec
CPEs cpe:2.3:a:nvidia:transformers4rec:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Nvidia transformers4rec

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia merlin Transformers4rec
Vendors & Products Nvidia
Nvidia merlin Transformers4rec

Tue, 26 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Improper Deserialization Enables Code Execution in NVIDIA Merlin Transformers4Rec

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Linux Linux Kernel
Nvidia Merlin Transformers4rec Transformers4rec
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-05-26T19:22:27.709Z

Reserved: 2026-01-21T19:09:30.918Z

Link: CVE-2026-24162

cve-icon Vulnrichment

Updated: 2026-05-26T19:22:24.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:29.910

Modified: 2026-06-04T15:16:48.930

Link: CVE-2026-24162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T19:30:13Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data