CVE-2026-24158 Overview
NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. This vulnerability allows unauthenticated remote attackers to exhaust server resources by sending specially crafted compressed data that expands to consume excessive memory during decompression, effectively rendering the inference service unavailable.
Critical Impact
Successful exploitation enables remote attackers to disrupt AI/ML inference services without authentication, potentially impacting production machine learning pipelines and dependent applications.
Affected Products
- NVIDIA Triton Inference Server (HTTP endpoint)
Discovery Timeline
- 2026-03-24 - CVE-2026-24158 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-24158
Vulnerability Analysis
This vulnerability falls under CWE-789 (Memory Allocation with Excessive Size Value), which occurs when the application allocates memory based on an untrusted size value without proper validation. In the context of NVIDIA Triton Inference Server, the HTTP endpoint accepts compressed payloads for inference requests but fails to adequately limit the decompressed size of incoming data.
When Triton processes HTTP requests containing compressed content (such as gzip or deflate encoded bodies), the server decompresses the payload to process the inference request. An attacker can craft a "compression bomb" or "decompression bomb" - a small compressed file that expands to an enormous size when decompressed. This attack vector is commonly known as a "zip bomb" when applied to compressed archives.
The vulnerability is particularly concerning for AI/ML infrastructure as Triton Inference Server is widely deployed in production environments to serve machine learning models. Disruption of inference services can cascade to affect all downstream applications and services that depend on model predictions.
Root Cause
The root cause of this vulnerability lies in insufficient validation of the decompressed payload size before memory allocation. The HTTP endpoint does not enforce adequate limits on the expansion ratio or final size of decompressed request bodies. When processing compressed content, the server allocates memory proportional to the decompressed size without checking whether this allocation is within acceptable bounds, allowing an attacker to trigger excessive memory consumption with minimal bandwidth.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker sends an HTTP request to the Triton Inference Server endpoint with a compressed payload in the request body. The compressed data is designed to have an extremely high compression ratio, meaning a small amount of data (potentially just a few kilobytes) decompresses into gigabytes of data.
When the server attempts to decompress this payload, it allocates memory for the expanded content. This can rapidly exhaust available system memory, causing the Triton process to crash or become unresponsive. Repeated attacks can prevent the service from recovering, resulting in a sustained denial of service condition.
The attack is particularly effective because:
- No authentication is required to send requests to the HTTP inference endpoint
- The attacker only needs to send small amounts of data to trigger large memory allocations
- The server processes the decompression synchronously, blocking resources
Detection Methods for CVE-2026-24158
Indicators of Compromise
- Unusual spikes in memory utilization on systems running Triton Inference Server
- HTTP requests with small content-length but compressed content encoding headers (gzip, deflate, br)
- Repeated crashes or out-of-memory errors in Triton Inference Server logs
- Sudden service unavailability of inference endpoints without corresponding increase in legitimate traffic
Detection Strategies
- Monitor HTTP request patterns for anomalous compression ratios by comparing Content-Length headers to actual payload sizes after decompression
- Implement alerting on rapid memory consumption events correlated with HTTP endpoint activity
- Deploy network-based intrusion detection rules to identify requests with suspicious compression characteristics
- Review Triton server logs for repeated connection resets or memory allocation failures
Monitoring Recommendations
- Configure resource monitoring to alert when Triton containers or processes exceed memory thresholds
- Implement rate limiting and request size validation at the load balancer or reverse proxy level
- Enable detailed access logging on HTTP endpoints to facilitate forensic analysis of potential attacks
- Monitor container orchestration platforms (Kubernetes) for pod evictions or OOM kill events affecting Triton deployments
How to Mitigate CVE-2026-24158
Immediate Actions Required
- Review the NVIDIA Support Answer for official patch information and apply available updates
- Implement request size limits at the reverse proxy or load balancer level to restrict maximum decompressed payload sizes
- Consider temporarily disabling compressed request body support if not required for your deployment
- Restrict network access to Triton Inference Server endpoints to trusted sources using firewall rules or network policies
Patch Information
NVIDIA has published a security advisory addressing this vulnerability. Administrators should consult the NVIDIA Support Answer for specific patch versions and upgrade instructions. Review the NVD CVE-2026-24158 Details for additional technical information and updates.
Workarounds
- Deploy a reverse proxy (such as NGINX or HAProxy) in front of Triton with configured limits on client_body_buffer_size and decompression settings
- Implement Web Application Firewall (WAF) rules to inspect and limit compressed payload expansion ratios
- Use Kubernetes resource limits to constrain memory available to Triton pods, preventing system-wide impact from memory exhaustion
- Enable authentication on Triton endpoints to reduce the attack surface from anonymous remote attackers
# Example NGINX configuration to limit request body size
# Add to nginx.conf or server block configuration
client_max_body_size 10m;
client_body_buffer_size 128k;
# Disable automatic decompression to prevent bomb attacks
# Inspect payloads manually with size limits
gunzip_buffers 16 8k;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
