Platform
python
Component
megatron-lm
Fixed in
0.14.0
CVE-2026-24149 describes a code injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. An attacker can craft malicious data that, when processed by the vulnerable script, leads to arbitrary code execution. This vulnerability impacts versions 0.0 through 0.14.0 of Megatron-LM and has been resolved in version 0.14.0.
The impact of this vulnerability is significant. Successful exploitation allows an attacker to execute arbitrary code within the context of the Megatron-LM process. This could lead to complete system compromise, including privilege escalation to gain root access, data exfiltration of sensitive training data or model weights, and modification of the model itself. Given Megatron-LM's use in training large language models, the potential for data tampering could have far-reaching consequences, impacting the integrity and reliability of the resulting AI models. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing backdoors, launching denial-of-service attacks, and pivoting to other systems on the network.
CVE-2026-24149 was publicly disclosed on 2026-02-03. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code is available. The vulnerability has not been added to the CISA KEV catalog. Given the potential for code execution, it is recommended to prioritize patching to prevent potential future exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24149 is to upgrade to NVIDIA Megatron-LM version 0.14.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by the vulnerable script. Specifically, carefully scrutinize all user-provided input and reject any data that appears suspicious or malformed. While not a direct fix, restricting network access to the Megatron-LM process can limit the potential impact of a successful exploit. Monitor system logs for unusual activity, particularly processes executing from unexpected locations or with elevated privileges.
Actualice la biblioteca Megatron-LM a la versión 0.14.0 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Puede actualizar usando el gestor de paquetes pip: `pip install megatron-lm --upgrade`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24149 is a code injection vulnerability affecting NVIDIA Megatron-LM versions 0.0 through 0.14.0, allowing attackers to potentially execute arbitrary code.
You are affected if you are using NVIDIA Megatron-LM versions 0.0 - 0.14.0. Upgrade to version 0.14.0 or later to mitigate the risk.
Upgrade to NVIDIA Megatron-LM version 0.14.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
There is currently no indication of active exploitation in the wild, but proactive patching is recommended.
Refer to the NVIDIA security bulletin for detailed information and updates: [https://nvidia.github.io/security-bulletins/](https://nvidia.github.io/security-bulletins/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.