{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24141", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:27.437Z", "datePublished": "2026-03-24T20:26:51.841Z", "dateUpdated": "2026-03-25T14:27:06.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:26:51.841Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, data tampering, information disclosure"}]}], "affected": [{"vendor": "NVIDIA", "product": "NVIDIA Model Optimizer", "platforms": ["All"], "versions": [{"status": "affected", "version": "All versions prior to 0.41.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24141"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24141"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5798"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:24:25.297719Z", "id": "CVE-2026-24141", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:27:06.831Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:24:25.297719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:24:28.562Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, data tampering, information disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "NVIDIA Model Optimizer", "versions": [{"status": "affected", "version": "All versions prior to 0.41.0"}], "platforms": ["All"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24141"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24141"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5798"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:26:51.841Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24141", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:27:06.831Z", "dateReserved": "2026-01-21T19:09:27.437Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-24T20:26:51.841Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure."}], "id": "CVE-2026-24141", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-03-24T21:16:27.203", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24141"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5798"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24141"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.41.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NVIDIA Model Optimizer", "source": "cna", "vendor": "NVIDIA"}, "product": "nvidia_model_optimizer", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-03-24T21:21:08.760647+00:00", "value": {"mitigation_remediation": ["Install the latest NVIDIA Model Optimizer update that addresses the unsafe deserialization flaw", "Validate and sandbox all ONNX files before they are processed by the quantization feature", "Restrict user access to the quantization functionality to trusted administrators only", "Monitor error logs for deserialization failures and investigate unexpected behavior promptly"], "summary": {"action": "Immediate Patch", "impact": "Potential Remote Code Execution via unsafe deserialization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects NVIDIA\u2019s Model Optimizer product running on both Windows and Linux platforms. No specific software versions are listed, so all installed instances may be at risk if they expose the ONNX quantization feature to untrusted input.", "description_and_impact": "An attacker can provide a specially crafted ONNX file to the Model Optimizer's quantization routine, causing unsafe deserialization. This flaw may lead to arbitrary code execution, privilege escalation, data tampering, and information disclosure as described in the vendor\u2019s advisory.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.8, indicating high severity. EPSS information is not available, and the flaw is not currently noted in the CISA KEV catalog. The likely attack vector involves an attacker supplying a malicious ONNX file to a user or process that invokes the quantization function, which may be a local or remote threat depending on user permissions and network exposure."}}}}, "created": "2026-03-25T11:45:55.325630+00:00", "title": "Unsafe Deserialization in NVIDIA Model Optimizer ONNX Quantization", "updated": "2026-03-25T20:57:21.154216+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$nvidia_model_optimizer"]}