NVIDIA Transformers4Rec: deserialization RCE — HIGH (CVE-2026-24162)

CISO Take

NVIDIA Transformers4Rec contains an improper deserialization flaw (CWE-502) where loading a maliciously crafted serialized artifact — such as a model checkpoint from a public repository or internal model registry — triggers arbitrary code execution with the victim's privileges, plus full data tampering and information disclosure. Although the attack vector is local and requires user interaction, these conditions routinely occur in ML workflows where practitioners load third-party checkpoints without integrity validation; with low attack complexity and full CIA triad impact, a successful exploit hands an attacker complete control of the data science environment and any credentials or training data accessible from it. There is no CISA KEV entry and no public exploit at time of writing, but pickle-based deserialization attacks against ML libraries are well-documented, low-skill, and historically weaponized at scale. Apply the patch from NVIDIA Security Bulletin a_id/5838 immediately, migrate artifact storage to safetensors format where feasible, and deploy picklescan in CI/CD pipelines to catch malicious serialized files before they reach practitioner environments.

Sources: NVD ATLAS nvidia.custhelp.com

What is the risk?

Moderate-to-high risk for organizations running Transformers4Rec in recommendation or session-based ML pipelines. CVSS 7.8 High reflects full CIA triad impact, but the local attack vector and required user interaction constrain exploitation to scenarios where an attacker can deliver a malicious file to a practitioner workstation or pipeline environment. In ML/AI contexts this barrier is substantially lower than in traditional enterprise software — data scientists routinely download model checkpoints from Hugging Face Hub, S3 buckets, or internal registries without file integrity verification. No EPSS data is available and the vulnerability is absent from CISA KEV, indicating no confirmed active exploitation. The absence of public exploits or Nuclei templates reduces immediate automated scanning risk, but pickle-based RCE tooling is widely accessible and requires minimal ML expertise to weaponize.

Attack Kill Chain

Artifact Delivery

Attacker publishes a malicious serialized model checkpoint to a public repository such as Hugging Face Hub, or compromises an internal model registry, advertising it as a legitimate pre-trained Transformers4Rec recommendation model.

AML.T0010.001

User Execution

A data scientist or MLOps engineer downloads and loads the malicious checkpoint using Transformers4Rec's deserialization routines during model evaluation or pipeline initialization.

AML.T0011.000

Code Execution

The embedded malicious payload in the serialized artifact executes arbitrary code with the victim's process privileges, establishing attacker control of the ML environment.

AML.T0018.002

Impact

Attacker exfiltrates cloud credentials, proprietary training data, and model weights stored in the compromised environment, or tampers with recommendation pipeline outputs to manipulate downstream business decisions.

AML.T0025

Artifact Delivery

Attacker publishes a malicious serialized model checkpoint to a public repository such as Hugging Face Hub, or compromises an internal model registry, advertising it as a legitimate pre-trained Transformers4Rec recommendation model.

AML.T0010.001

User Execution

A data scientist or MLOps engineer downloads and loads the malicious checkpoint using Transformers4Rec's deserialization routines during model evaluation or pipeline initialization.

AML.T0011.000

Code Execution

The embedded malicious payload in the serialized artifact executes arbitrary code with the victim's process privileges, establishing attacker control of the ML environment.

AML.T0018.002

Impact

Attacker exfiltrates cloud credentials, proprietary training data, and model weights stored in the compromised environment, or tampers with recommendation pipeline outputs to manipulate downstream business decisions.

AML.T0025

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch: Apply the fix from NVIDIA Security Bulletin https://nvidia.custhelp.com/app/answers/detail/a_id/5838 as soon as a patched release is available; track the advisory for version guidance.
Artifact validation: Implement cryptographic signature verification (checksums, Sigstore) for all model files before loading via Transformers4Rec.
Format migration: Migrate serialized model storage from pickle-based formats to safetensors, which does not permit arbitrary code execution during deserialization.
Sandboxing: Load untrusted model artifacts in isolated environments (containers or VMs) with minimal privileges and no access to production credentials or databases.
Detection: Integrate picklescan into CI/CD pipelines to flag malicious serialized files; monitor for unexpected process spawning from Python interpreter processes during model loading operations.
Inventory and restrict: Audit all Transformers4Rec deployments and enforce a policy that model artifacts may only be loaded from internally signed, approved sources.

Classification

Code Execution Supply Chain Data Extraction Framework Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle

NIST AI RMF

MANAGE 2.2 - Treatments, responses, and prioritization of AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-24162?

NVIDIA Transformers4Rec contains an improper deserialization flaw (CWE-502) where loading a maliciously crafted serialized artifact — such as a model checkpoint from a public repository or internal model registry — triggers arbitrary code execution with the victim's privileges, plus full data tampering and information disclosure. Although the attack vector is local and requires user interaction, these conditions routinely occur in ML workflows where practitioners load third-party checkpoints without integrity validation; with low attack complexity and full CIA triad impact, a successful exploit hands an attacker complete control of the data science environment and any credentials or training data accessible from it. There is no CISA KEV entry and no public exploit at time of writing, but pickle-based deserialization attacks against ML libraries are well-documented, low-skill, and historically weaponized at scale. Apply the patch from NVIDIA Security Bulletin a_id/5838 immediately, migrate artifact storage to safetensors format where feasible, and deploy picklescan in CI/CD pipelines to catch malicious serialized files before they reach practitioner environments.

Is CVE-2026-24162 actively exploited?

No confirmed active exploitation of CVE-2026-24162 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-24162?

1. Patch: Apply the fix from NVIDIA Security Bulletin https://nvidia.custhelp.com/app/answers/detail/a_id/5838 as soon as a patched release is available; track the advisory for version guidance. 2. Artifact validation: Implement cryptographic signature verification (checksums, Sigstore) for all model files before loading via Transformers4Rec. 3. Format migration: Migrate serialized model storage from pickle-based formats to safetensors, which does not permit arbitrary code execution during deserialization. 4. Sandboxing: Load untrusted model artifacts in isolated environments (containers or VMs) with minimal privileges and no access to production credentials or databases. 5. Detection: Integrate picklescan into CI/CD pipelines to flag malicious serialized files; monitor for unexpected process spawning from Python interpreter processes during model loading operations. 6. Inventory and restrict: Audit all Transformers4Rec deployments and enforce a policy that model artifacts may only be loaded from internally signed, approved sources.

What systems are affected by CVE-2026-24162?

This vulnerability affects the following AI/ML architecture patterns: recommendation system pipelines, ML training pipelines, model serving infrastructure, MLOps artifact repositories.

What is the CVSS score for CVE-2026-24162?

CVE-2026-24162 has a CVSS v3.1 base score of 7.8 (HIGH).

AI Security Impact

Affected AI Architectures

recommendation system pipelinesML training pipelinesmodel serving infrastructureMLOps artifact repositories

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

Technical Details

Original Advisory

NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.

Exploitation Scenario

An attacker targets a data science team using NVIDIA Transformers4Rec for session-based product recommendation. They publish a malicious model checkpoint to a public Hugging Face repository or a compromised internal model registry, advertising it as a pre-trained recommendation baseline with strong benchmark results. The checkpoint embeds a serialized Python object with a `__reduce__` method that spawns a reverse shell on deserialization. When a data scientist runs the model loading routine during experimentation or pipeline evaluation, the Transformers4Rec deserialization path executes the attacker's payload — establishing remote access to the workstation. The attacker then exfiltrates AWS or GCP credentials stored in environment variables, accesses proprietary training datasets and model weights, and potentially pivots to production recommendation infrastructure.