CVE-2026-24237 Overview
CVE-2026-24237 is an insecure deserialization vulnerability in NVIDIA NVTabular, a feature engineering and preprocessing library for tabular data used in recommender system pipelines. An attacker with local, low-privileged access can supply crafted serialized data that NVTabular deserializes without proper validation. Successful exploitation can lead to arbitrary code execution, data tampering, and information disclosure within the context of the user running the affected workflow. The flaw is tracked under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Exploitation grants code execution with full confidentiality, integrity, and availability impact on systems running vulnerable NVTabular workloads.
Affected Products
- NVIDIA NVTabular (see NVIDIA Support Advisory for affected versions)
- Machine learning pipelines built on NVIDIA Merlin that import NVTabular workflows
- Data preprocessing environments loading NVTabular Workflow artifacts from untrusted sources
Discovery Timeline
- 2026-06-02 - CVE CVE-2026-24237 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-24237
Vulnerability Analysis
NVTabular persists preprocessing workflows and feature engineering pipelines as serialized objects on disk. When these artifacts are loaded back into a Python process, the library reconstructs Python objects from the byte stream. If an attacker can place or substitute a malicious artifact in a location that NVTabular reads, the deserialization step executes attacker-controlled code as part of object reconstruction. The result is code execution in the same process as the data science workflow, with the same privileges as the user.
Because NVTabular runs inside ML training and inference pipelines, the affected process often has access to training data, model weights, GPU resources, and credentials for cloud storage. This expands the blast radius of a single deserialization event from a local code execution primitive to a foothold for data tampering and information disclosure across the ML pipeline.
Root Cause
The root cause is the use of an unsafe deserialization mechanism on data that crosses a trust boundary. The library does not cryptographically verify the integrity or origin of serialized workflow files before reconstructing objects. Any path that allows an attacker to write to the artifact location, or to convince a user to load a supplied file, is sufficient to trigger the flaw. This matches the [CWE-502] pattern of trusting untrusted input during object reconstruction.
Attack Vector
The attack vector is local and requires low privileges, with no user interaction needed once the malicious artifact is loaded by a vulnerable workflow. A typical exploitation chain involves an attacker placing a crafted serialized workflow file in a shared directory, a cloud bucket, or a model registry consumed by an NVTabular pipeline. When a data scientist or automation job loads the artifact, the embedded payload executes during deserialization. The vulnerability mechanism is described in the NVIDIA Support Advisory; no public proof-of-concept is currently available.
Detection Methods for CVE-2026-24237
Indicators of Compromise
- Unexpected child processes spawned by Python interpreters running NVTabular or NVIDIA Merlin pipelines.
- Modifications to serialized workflow files (for example, workflow.pkl artifacts) from accounts that do not normally produce pipeline outputs.
- Outbound network connections from ML training hosts to unfamiliar destinations shortly after a workflow load operation.
Detection Strategies
- Monitor process lineage for shells, interpreters, or download utilities spawned as children of Python processes that load NVTabular workflows.
- Hunt for file integrity changes on directories that store NVTabular serialized artifacts and compare against expected pipeline outputs.
- Alert on Python processes that invoke deserialization routines immediately followed by execution of system binaries such as sh, bash, curl, or wget.
Monitoring Recommendations
- Enable command-line and process-creation logging on ML training and inference hosts and centralize the events for correlation.
- Track read access to NVTabular artifact locations and flag loads originating from non-pipeline service accounts.
- Correlate GPU host telemetry with identity and storage access logs to detect anomalous artifact retrieval patterns.
How to Mitigate CVE-2026-24237
Immediate Actions Required
- Apply the fixed NVTabular release identified in the NVIDIA Support Advisory as soon as it is available in your environment.
- Inventory all systems and container images that include NVTabular and prioritize patching of shared training infrastructure.
- Restrict write access to directories, buckets, and model registries that host serialized NVTabular workflow artifacts.
Patch Information
NVIDIA has published vendor guidance for CVE-2026-24237 in the NVIDIA Support Advisory. Administrators should consult the advisory for the specific fixed version, upgrade instructions, and any container image updates. The authoritative record is available at the NVD CVE-2026-24237 entry and the CVE.org CVE-2026-24237 Record.
Workarounds
- Load NVTabular workflow artifacts only from trusted, access-controlled locations and reject files from external or user-supplied sources.
- Run NVTabular pipelines under dedicated, least-privileged service accounts isolated from credentials for production data and cloud APIs.
- Validate artifact integrity using cryptographic signatures or checksums maintained out-of-band before any deserialization step.
# Configuration example
# Verify a workflow artifact checksum before loading it in a pipeline
sha256sum -c workflow.pkl.sha256 && python -c "from nvtabular import Workflow; Workflow.load('workflow.pkl')"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
