プラットフォーム
python
コンポーネント
megatron-lm
修正版
0.14.0
CVE-2026-24149 describes a code injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. An attacker can craft malicious data that, when processed by the vulnerable script, leads to arbitrary code execution. This vulnerability impacts versions 0.0 through 0.14.0 of Megatron-LM and has been resolved in version 0.14.0.
The impact of this vulnerability is significant. Successful exploitation allows an attacker to execute arbitrary code within the context of the Megatron-LM process. This could lead to complete system compromise, including privilege escalation to gain root access, data exfiltration of sensitive training data or model weights, and modification of the model itself. Given Megatron-LM's use in training large language models, the potential for data tampering could have far-reaching consequences, impacting the integrity and reliability of the resulting AI models. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing backdoors, launching denial-of-service attacks, and pivoting to other systems on the network.
CVE-2026-24149 was publicly disclosed on 2026-02-03. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code is available. The vulnerability has not been added to the CISA KEV catalog. Given the potential for code execution, it is recommended to prioritize patching to prevent potential future exploitation.
Organizations and researchers utilizing NVIDIA Megatron-LM for large language model training are at risk. This includes those deploying Megatron-LM in cloud environments, on-premise servers, or within development pipelines. Specifically, those using older, unpatched versions (0.0 - 0.14.0) are particularly vulnerable.
• python / supply-chain:
import os
import subprocess
def check_megatron_version():
try:
result = subprocess.check_output(['python', '-c', 'import megatron_lm; print(megatron_lm.__version__)'], stderr=subprocess.STDOUT)
version = result.decode('utf-8').strip()
if float(version) < 0.14:
print(f"Vulnerability detected: Megatron-LM version is {version}, upgrade required.")
else:
print(f"Megatron-LM version is {version}, no vulnerability detected.")
except FileNotFoundError:
print("Megatron-LM not found.")
except Exception as e:
print(f"Error checking version: {e}")
check_megatron_version()disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-24149 is to upgrade to NVIDIA Megatron-LM version 0.14.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by the vulnerable script. Specifically, carefully scrutinize all user-provided input and reject any data that appears suspicious or malformed. While not a direct fix, restricting network access to the Megatron-LM process can limit the potential impact of a successful exploit. Monitor system logs for unusual activity, particularly processes executing from unexpected locations or with elevated privileges.
Actualice la biblioteca Megatron-LM a la versión 0.14.0 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Puede actualizar usando el gestor de paquetes pip: `pip install megatron-lm --upgrade`.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-24149 is a code injection vulnerability affecting NVIDIA Megatron-LM versions 0.0 through 0.14.0, allowing attackers to potentially execute arbitrary code.
You are affected if you are using NVIDIA Megatron-LM versions 0.0 - 0.14.0. Upgrade to version 0.14.0 or later to mitigate the risk.
Upgrade to NVIDIA Megatron-LM version 0.14.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
There is currently no indication of active exploitation in the wild, but proactive patching is recommended.
Refer to the NVIDIA security bulletin for detailed information and updates: [https://nvidia.github.io/security-bulletins/](https://nvidia.github.io/security-bulletins/)
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。