Cyber Posture

CVE-2026-24150

High

Published: 24 March 2026

Published
24 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24150 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Nvidia Megatron-Lm. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the deserialization flaw in NVIDIA Megatron-LM checkpoint loading by requiring timely patching of the vulnerability.

SI-10 Information Input Validation good match
prevent

Requires validation of checkpoint file inputs during deserialization to block malicious payloads leading to RCE.

SI-7 Software, Firmware, and Information Integrity partial match
prevent

Enforces integrity verification of checkpoint files prior to loading, detecting tampering or unauthorized modifications by attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables RCE via deserialization when user loads malicious checkpoint file (T1204.002); Python-based framework allows arbitrary code execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information…

more

disclosure, and data tampering.

Deeper analysisAI

CVE-2026-24150 is a vulnerability in NVIDIA Megatron-LM, specifically in its checkpoint loading functionality. An attacker can achieve remote code execution (RCE) by convincing a user to load a maliciously crafted checkpoint file. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502 (Deserialization of Untrusted Data). It was published on 2026-03-24.

The attack requires local access (AV:L) and low privileges (PR:L) on the target system, with low attack complexity (AC:L) and no additional user interaction beyond convincing the victim to load the file (UI:N). A successful exploit enables arbitrary code execution, which can further result in privilege escalation, information disclosure, and data tampering.

Mitigation guidance is available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5769, the NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2026-24150, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24150.

Details

CWE(s)
CWE-502

Affected Products

nvidia
megatron-lm
≤ 0.15.3

CVEs Like This One

CVE-2026-24152Same product: Nvidia Megatron-Lm
CVE-2026-24151Same product: Nvidia Megatron-Lm
CVE-2025-33248Same product: Nvidia Megatron-Lm
CVE-2025-33247Same product: Nvidia Megatron-Lm
CVE-2026-24165Same vendor: Nvidia
CVE-2025-33253Same vendor: Nvidia
CVE-2025-33241Same vendor: Nvidia
CVE-2025-33252Same vendor: Nvidia
CVE-2025-33245Same vendor: Nvidia
CVE-2026-24157Same vendor: Nvidia

References