CVE-2026-24233 in TensorRT-LLM
Summary
by MITRE • 07/15/2026
NVIDIA TensorRT-LLM for Linux contains a vulnerability in the restricted unpickler used for model weight deserialization, where a local, unauthenticated attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within NVIDIA TensorRT-LLM for Linux systems where the restricted unpickler component handles model weight deserialization processes. The flaw resides in how the system processes untrusted data during the deserialization phase, creating a potential attack vector for malicious actors. The vulnerability is classified as a local privilege escalation issue that does not require authentication, making it particularly dangerous in environments where local access is possible. According to CWE standards, this represents a weakness in the deserialization process where untrusted data can be manipulated to execute arbitrary code within the system context. The restricted unpickler mechanism fails to properly validate or sanitize input data, allowing attackers to craft malicious payloads that bypass security controls during model loading operations.
The technical exploitation of this vulnerability enables an attacker with local access to execute arbitrary code within the privileges of the TensorRT-LLM process. This deserialization flaw can be leveraged to escalate privileges from the current user context to higher privilege levels, potentially gaining root access or administrative control over the affected system. The attack surface is particularly concerning because it operates during normal model loading operations, meaning legitimate users or processes could inadvertently trigger the exploit while performing routine tasks. The vulnerability's impact extends beyond simple code execution to include data tampering capabilities, allowing attackers to modify model weights or configuration files that could compromise the integrity of machine learning workflows. Information disclosure represents another significant risk where sensitive data within memory structures or model configurations could be accessed by unauthorized parties.
From an operational perspective, this vulnerability poses substantial risks to organizations relying on NVIDIA TensorRT-LLM for Linux deployments, particularly in enterprise environments where multiple users may have local access to systems running these components. The attack vector is particularly dangerous because it does not require network connectivity or authentication credentials, making it accessible even in isolated network segments. Security teams must consider the potential for supply chain attacks where malicious actors could compromise model files before deployment, as well as insider threats where authorized users with local access might exploit this vulnerability. The impact of exploitation can be severe across multiple domains including data integrity, system availability, and confidentiality. Organizations using machine learning frameworks in production environments face increased risk of service disruption, unauthorized data access, or complete system compromise if this vulnerability is not addressed promptly.
Mitigation strategies should include immediate patching of affected NVIDIA TensorRT-LLM versions to address the deserialization flaw through proper input validation and sanitization mechanisms. System administrators should implement strict access controls and privilege separation to limit local user access to systems running these components, particularly in multi-user environments. Network segmentation and monitoring solutions should be deployed to detect unusual deserialization activities or attempts to load malicious model files. Organizations must also establish secure software development lifecycle practices including code reviews focused on deserialization handling, dependency validation, and regular security assessments of machine learning frameworks. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques where attackers leverage insecure deserialization to gain elevated system privileges. Regular security awareness training for personnel working with machine learning systems should emphasize the risks of loading untrusted model files and the importance of maintaining secure development practices throughout the software lifecycle.