{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24152", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:29.850Z", "datePublished": "2026-03-24T20:25:03.603Z", "dateUpdated": "2026-03-25T14:27:34.743Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:25:03.603Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code Execution, Escalation of Privileges, Data Tampering, Information Disclosure"}]}], "affected": [{"vendor": "NVIDIA", "product": "Megatron LM", "platforms": ["All platforms"], "versions": [{"status": "affected", "version": "All versions prior to 0.15.3"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24152"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24152"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5769"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:21:09.151629Z", "id": "CVE-2026-24152", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:27:34.743Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24152", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:21:09.151629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:21:16.108Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code Execution, Escalation of Privileges, Data Tampering, Information Disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "Megatron LM", "versions": [{"status": "affected", "version": "All versions prior to 0.15.3"}], "platforms": ["All platforms"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24152"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24152"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5769"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:25:03.603Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24152", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:27:34.743Z", "dateReserved": "2026-01-21T19:09:29.850Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-24T20:25:03.603Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*", "matchCriteriaId": "05221D08-E8D5-4CBE-8B4E-8CE4C8176AB4", "versionEndExcluding": "0.15.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering."}], "id": "CVE-2026-24152", "lastModified": "2026-03-25T21:56:52.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T21:16:27.670", "references": [{"source": "psirt@nvidia.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24152"}, {"source": "psirt@nvidia.com", "tags": ["Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5769"}, {"source": "psirt@nvidia.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-24152"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all_platforms"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Megatron LM", "source": "cna", "vendor": "NVIDIA"}, "product": "megatron-lm", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-03-26T02:54:27.801746+00:00", "value": {"mitigation_remediation": ["Apply the latest NVIDIA Megatron\u2011LM release that addresses the checkpoint validation flaw.", "Restrict checkpoint loading to trusted directories and enforce integrity checks before importing a checkpoint.", "Avoid loading checkpoint files from untrusted sources or users; where possible, disable automatic external checkpoint loading.", "Monitor application logs for anomalous command execution or unusual checkpoint load attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects NVIDIA Megatron\u2011LM. No specific version range is provided, meaning any deployment that uses the checkpoint loading feature is potentially impacted until an updated release is applied. Administrators should verify the SKU and version against vendor advisories to confirm exposure.", "description_and_impact": "NVIDIA Megatron\u2011LM allows an attacker to supply a maliciously crafted checkpoint file that the application loads without proper validation. When such a checkpoint is imported, code can be executed, potentially leading to privilege escalation, data tampering, or information disclosure. The flaw is identified as CWE\u2011502, indicating improper handling of encoded input data.", "risk_and_exploitability": "With a CVSS score of 7.8 the flaw is classified as high severity, yet the EPSS score of <1% suggests a low likelihood of exploitation in the near term. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to persuade an authorized user to load the malicious checkpoint or to place the file in a location that the system auto\u2011loads, implying a local or socially engineered attack vector."}}}}, "created": "2026-03-25T11:46:01.021154+00:00", "updated": "2026-03-26T12:18:46.562972+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$megatron-lm"]}