Platform
python
Component
megatron-lm
Opgelost in
0.14.0
CVE-2026-24149 describes a code injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. An attacker can craft malicious data that, when processed by the vulnerable script, leads to arbitrary code execution. This vulnerability impacts versions 0.0 through 0.14.0 of Megatron-LM and has been resolved in version 0.14.0.
The impact of this vulnerability is significant. Successful exploitation allows an attacker to execute arbitrary code within the context of the Megatron-LM process. This could lead to complete system compromise, including privilege escalation to gain root access, data exfiltration of sensitive training data or model weights, and modification of the model itself. Given Megatron-LM's use in training large language models, the potential for data tampering could have far-reaching consequences, impacting the integrity and reliability of the resulting AI models. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing backdoors, launching denial-of-service attacks, and pivoting to other systems on the network.
CVE-2026-24149 was publicly disclosed on 2026-02-03. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code is available. The vulnerability has not been added to the CISA KEV catalog. Given the potential for code execution, it is recommended to prioritize patching to prevent potential future exploitation.
Organizations and researchers utilizing NVIDIA Megatron-LM for large language model training are at risk. This includes those deploying Megatron-LM in cloud environments, on-premise servers, or within development pipelines. Specifically, those using older, unpatched versions (0.0 - 0.14.0) are particularly vulnerable.
• python / supply-chain:
import os
import subprocess
def check_megatron_version():
try:
result = subprocess.check_output(['python', '-c', 'import megatron_lm; print(megatron_lm.__version__)'], stderr=subprocess.STDOUT)
version = result.decode('utf-8').strip()
if float(version) < 0.14:
print(f"Vulnerability detected: Megatron-LM version is {version}, upgrade required.")
else:
print(f"Megatron-LM version is {version}, no vulnerability detected.")
except FileNotFoundError:
print("Megatron-LM not found.")
except Exception as e:
print(f"Error checking version: {e}")
check_megatron_version()disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-24149 is to upgrade to NVIDIA Megatron-LM version 0.14.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by the vulnerable script. Specifically, carefully scrutinize all user-provided input and reject any data that appears suspicious or malformed. While not a direct fix, restricting network access to the Megatron-LM process can limit the potential impact of a successful exploit. Monitor system logs for unusual activity, particularly processes executing from unexpected locations or with elevated privileges.
Actualice la biblioteca Megatron-LM a la versión 0.14.0 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Puede actualizar usando el gestor de paquetes pip: `pip install megatron-lm --upgrade`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-24149 is a code injection vulnerability affecting NVIDIA Megatron-LM versions 0.0 through 0.14.0, allowing attackers to potentially execute arbitrary code.
You are affected if you are using NVIDIA Megatron-LM versions 0.0 - 0.14.0. Upgrade to version 0.14.0 or later to mitigate the risk.
Upgrade to NVIDIA Megatron-LM version 0.14.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
There is currently no indication of active exploitation in the wild, but proactive patching is recommended.
Refer to the NVIDIA security bulletin for detailed information and updates: [https://nvidia.github.io/security-bulletins/](https://nvidia.github.io/security-bulletins/)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.