{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24149", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:27.438Z", "datePublished": "2026-02-03T19:55:41.704Z", "dateUpdated": "2026-02-03T20:28:28.082Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["All platforms"], "product": "Megatron-LM", "vendor": "NVIDIA", "versions": [{"lessThan": "0.14.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael DePlante (@izobashi) of Trend Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering.</p>"}], "value": "NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, information disclosure, data tampering"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-02-03T19:55:41.704Z"}, "references": [{"name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24149"}, {"name": "Mitre", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24149"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:28:22.922166Z", "id": "CVE-2026-24149", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:28:28.082Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T20:28:22.922166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:28:25.332Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Michael DePlante (@izobashi) of Trend Zero Day Initiative"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, information disclosure, data tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "Megatron-LM", "versions": [{"status": "affected", "version": "0", "lessThan": "0.14.0", "versionType": "custom"}], "platforms": ["All platforms"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24149", "name": "NVD"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24149", "name": "Mitre"}], "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering.", "supportingMedia": [{"type": "text/html", "value": "<p>NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-02-03T19:55:41.704Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24149", "state": "PUBLISHED", "dateUpdated": "2026-02-03T20:28:28.082Z", "dateReserved": "2026-01-21T19:09:27.438Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-02-03T19:55:41.704Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering."}, {"lang": "es", "value": "NVIDIA Megatron-LM para todas las plataformas contiene una vulnerabilidad en un script, donde datos maliciosos creados por un atacante pueden causar un problema de inyecci\u00f3n de c\u00f3digo. Un exploit exitoso de esta vulnerabilidad puede conducir a la ejecuci\u00f3n de c\u00f3digo, escalada de privilegios, revelaci\u00f3n de informaci\u00f3n, manipulaci\u00f3n de datos."}], "id": "CVE-2026-24149", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-02-03T20:15:58.243", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24149"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24149"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:05:06.749293+00:00", "value": {"mitigation_remediation": ["Check NVIDIA\u2019s website or security advisories for a patch or update addressing the script vulnerability.", "Sanitize any input that is passed to the vulnerable script, for example by implementing whitelist validation or input encoding.", "Ensure that the script runs with the least privileges necessary, restricting file permissions and execution rights to a minimum set of trusted users."], "summary": {"action": "Assess Impact", "impact": "Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is NVIDIA Megatron-LM, available for all platforms. No specific product versions or patches are listed in the available data, so any installation of Megatron-LM that includes the vulnerable script may be impacted.", "description_and_impact": "A vulnerability exists in a script used by NVIDIA Megatron-LM that allows an attacker to inject malicious data, leading to code injection. This flaw can be leveraged to execute arbitrary code, potentially escalating privileges, leaking sensitive information, and modifying data. The weakness is classified as CWE-94, which denotes code injection or statement injection.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.8, indicating a high overall risk. The EPSS score is reported as less than 1\u202f%, suggesting that there is a very low probability of exploitation in the wild at present, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to involve the delivery of crafted input to the vulnerable script; depending on the script\u2019s exposure, this may require local or remote access. Given the severity of potential impact, it is important to evaluate whether the environment exposes the script to untrusted data and to mitigate accordingly."}}}}, "created": "2026-02-04T12:05:42.072396+00:00", "title": "Code Injection Vulnerability in NVIDIA Megatron-LM Leading to Code Execution", "updated": "2026-04-18T00:15:31.774392+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$megatron-lm"]}