Cyber Resilience

CVE-2026-24209

High

Published: 20 May 2026

Published
20 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0065 46.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24209 is a high-severity Path Traversal (CWE-22) vulnerability in Nvidia Triton Inference Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Path traversal in network-accessible inference server directly enables remote exploitation of public-facing app (T1190) resulting in application-layer DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24208Same product: Linux Linux Kernel
CVE-2026-24210Same product: Linux Linux Kernel
CVE-2026-24206Same product: Linux Linux Kernel
CVE-2026-24207Same product: Linux Linux Kernel
CVE-2025-23318Same product: Linux Linux Kernel
CVE-2025-23317Same product: Linux Linux Kernel
CVE-2025-23319Same product: Linux Linux Kernel
CVE-2025-23311Same product: Linux Linux Kernel
CVE-2025-23310Same product: Linux Linux Kernel
CVE-2026-31711Same product: Linux Linux Kernel

Affected Assets

nvidia
triton inference server
≤ 26.03

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References