CVE-2026-47471 in TensorRT-LLMinfo

Summary

by MITRE • 07/15/2026

NVIDIA TensorRT-LLM for any platform contains a vulnerability in tensor deserialization, where an attacker could cause a heap based buffer overflow. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability identified in NVIDIA TensorRT-LLM represents a critical heap-based buffer overflow during tensor deserialization processes across all supported platforms. This flaw resides within the memory management mechanisms responsible for reconstructing serialized tensor objects, creating an avenue for malicious input to exceed allocated buffer boundaries. The issue manifests when the system attempts to deserialize malformed or crafted tensor data structures that exceed expected memory allocations, leading to unpredictable memory corruption patterns that can be exploited by adversaries.

From a technical perspective, this vulnerability operates at the intersection of software security and deep learning infrastructure, where the deserialization process fails to properly validate input boundaries before copying data into heap-allocated buffers. The buffer overflow occurs during the reconstruction phase of tensor objects, which are fundamental data structures in machine learning workflows that contain multi-dimensional arrays of numerical data. When attackers supply maliciously constructed serialized tensor data, the system's parsing logic does not adequately enforce size constraints, allowing arbitrary memory writes beyond intended buffer limits.

The operational impact of this vulnerability extends across multiple attack vectors and potential outcomes within the NVIDIA TensorRT-LLM ecosystem. Successful exploitation could enable adversaries to achieve information disclosure by overwriting adjacent memory regions containing sensitive data or cryptographic keys, potentially compromising the integrity of machine learning models and their associated training datasets. Data tampering becomes possible through controlled buffer overflow attacks that modify tensor contents during processing, leading to incorrect model outputs or malicious behavior in deployed AI systems. Additionally, denial of service conditions can be triggered when heap corruption causes application crashes or system instability, disrupting critical inference workflows in production environments.

This vulnerability aligns with CWE-121, which addresses stack-based buffer overflow conditions, and more specifically relates to heap-based variants that occur during dynamic memory allocation and data reconstruction processes. The attack surface is consistent with ATT&CK technique T1059.007 for command and script injection through malformed data processing, while also mapping to T1499.004 for data manipulation attacks targeting system integrity. Organizations utilizing NVIDIA TensorRT-LLM frameworks must consider the broader implications of this flaw within their AI infrastructure security posture, particularly in environments where untrusted input data is processed or when the system operates with elevated privileges.

Mitigation strategies should prioritize immediate patch application from NVIDIA to address the core deserialization logic flaws, combined with input validation measures that enforce strict boundary checking during tensor reconstruction. Network segmentation and access controls can reduce exposure by limiting potential attack vectors to specific system components, while runtime monitoring systems should be deployed to detect anomalous memory allocation patterns or buffer overflow indicators. Organizations should also implement robust data sanitization processes for any externally sourced tensor data and consider deploying intrusion detection systems capable of identifying exploitation attempts targeting this specific vulnerability class. Regular security assessments of machine learning infrastructure components remain essential to identify similar weaknesses in adjacent software libraries and frameworks that may present additional attack surfaces requiring coordinated remediation efforts.

Responsible

Nvidia

Reservation

05/19/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!