CVE-2026-24158

High

Published: 24 March 2026

Published

24 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0007 20.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24158 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Nvidia Triton Inference Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

SC-5 Denial-of-service Protection directly mitigates resource exhaustion attacks like the large compressed payload in NVIDIA Triton Inference Server's HTTP endpoint.

SC-6 Resource Availability good match

prevent

SC-6 Resource Availability limits memory and other resource allocations per process, preventing uncontrolled memory allocation from oversized payloads.

SI-10 Information Input Validation good match

prevent

SI-10 Information Input Validation checks HTTP payloads for validity and size, blocking the malformed large compressed inputs that trigger the DoS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Directly enables Endpoint DoS via application exploitation (uncontrolled memory allocation from large compressed payload on public HTTP endpoint).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service.

Deeper analysisAI

CVE-2026-24158 is a vulnerability in the HTTP endpoint of NVIDIA Triton Inference Server, where an attacker can cause a denial of service by providing a large compressed payload. This issue, associated with CWE-789 (Uncontrolled Memory Allocation), received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with no requirements for privileges or user interaction. The vulnerability was published on 2026-03-24.

A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a specially crafted large compressed payload to the affected HTTP endpoint, leading to denial of service on the Triton Inference Server. Successful exploitation results in service disruption but does not allow confidentiality or integrity violations.

Mitigation details are available in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5790, as well as entries on the NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-24158 and CVE.org at https://www.cve.org/CVERecord?id=CVE-2026-24158. Security practitioners should review these sources for patch availability and recommended remediation steps.