CVE-2026-24162 Overview
CVE-2026-24162 affects NVIDIA Transformers4Rec for Linux, a recommender system library built on top of Hugging Face Transformers. The vulnerability stems from improper deserialization of untrusted data [CWE-502]. An attacker who convinces a local user to load a crafted serialized object can trigger code execution, data tampering, or information disclosure within the user context.
The issue requires local access and user interaction, but successful exploitation yields high impact across confidentiality, integrity, and availability. Machine learning environments that load externally sourced model artifacts or checkpoints are particularly exposed.
Critical Impact
Loading an attacker-supplied serialized object in Transformers4Rec can lead to arbitrary code execution, tampering of training or inference data, and disclosure of sensitive model or dataset information.
Affected Products
- NVIDIA Transformers4Rec for Linux
- Recommender pipelines using vulnerable Transformers4Rec serialization paths
- ML workflows that deserialize externally supplied model checkpoints with Transformers4Rec
Discovery Timeline
- 2026-05-26 - CVE-2026-24162 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-24162
Vulnerability Analysis
The vulnerability is an insecure deserialization flaw in NVIDIA Transformers4Rec on Linux. Transformers4Rec accepts serialized objects as part of its model and pipeline handling. When the library deserializes data that originates from an untrusted source, the deserialization routine reconstructs arbitrary objects without integrity validation.
Python deserialization formats such as pickle execute embedded reducer logic during object reconstruction. An attacker can craft a serialized payload whose reducer invokes arbitrary commands. When a local user loads the payload through a Transformers4Rec API, the embedded code runs with that user's privileges.
The attack vector is local and requires user interaction, which aligns with typical ML workflows where engineers download model checkpoints, datasets, or pipeline state files from shared repositories. Impact spans confidentiality, integrity, and availability because the executed code inherits full user permissions over training data, credentials, and connected systems.
Root Cause
The root cause is the absence of safe deserialization controls when loading serialized objects in Transformers4Rec. The library does not enforce signature verification, allow-listing of safe classes, or use of safer formats such as safetensors before reconstructing objects from byte streams.
Attack Vector
An attacker publishes or shares a malicious serialized artifact, for example a model checkpoint or pipeline state file. A local user loads the artifact using a Transformers4Rec loading function. Deserialization executes the embedded payload in the user's context, enabling code execution, modification of files and datasets, and exfiltration of sensitive data.
No verified public exploit code is available for CVE-2026-24162. Refer to the NVIDIA Support Article and the NVD CVE-2026-24162 Detail for vendor and advisory information.
Detection Methods for CVE-2026-24162
Indicators of Compromise
- Unexpected child processes spawned by Python interpreters running Transformers4Rec workloads, such as sh, bash, curl, or wget.
- Outbound network connections from data science workstations or training nodes to unfamiliar hosts immediately after model load operations.
- Modification of files outside the project workspace following a torch.load or pickle-based load call within a Transformers4Rec pipeline.
Detection Strategies
- Hunt for Python processes loading .pkl, .bin, or checkpoint files sourced from non-trusted directories or downloads.
- Alert on Transformers4Rec processes that execute shell utilities, package managers, or compilers shortly after starting.
- Correlate file-read events on serialized model files with subsequent process-execution events to identify deserialization-triggered execution.
Monitoring Recommendations
- Log and review all model artifact downloads on ML hosts, including source URL, hash, and user.
- Monitor for new persistence mechanisms (cron jobs, systemd units, shell profile changes) created by ML workload users.
- Track egress traffic from training nodes and flag connections to hosts not on an approved registry allow-list.
How to Mitigate CVE-2026-24162
Immediate Actions Required
- Upgrade NVIDIA Transformers4Rec to the fixed version referenced in the NVIDIA Support Article.
- Inventory all systems running Transformers4Rec and identify pipelines that load externally sourced serialized artifacts.
- Quarantine and re-validate model checkpoints obtained from untrusted or unverified sources.
Patch Information
NVIDIA has published guidance for CVE-2026-24162 in its support portal. Apply the vendor-supplied update from the NVIDIA Support Article. Review the CVE.org Record CVE-2026-24162 and NVD CVE-2026-24162 Detail for affected version metadata as it becomes available.
Workarounds
- Load only serialized artifacts produced by trusted internal pipelines and signed with a verified integrity hash.
- Prefer non-executable serialization formats such as safetensors for model weight storage where supported.
- Run Transformers4Rec workloads under least-privilege service accounts and within isolated containers to limit blast radius.
- Block ML hosts from arbitrary outbound network access and restrict model downloads to an approved internal registry.
# Configuration example: pin and verify a patched Transformers4Rec build
pip install --upgrade transformers4rec==<patched-version>
# Verify checksum of any externally supplied checkpoint before loading
sha256sum ./checkpoints/model.bin
# Compare against the publisher-signed hash before passing to Transformers4Rec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
