HIGH 7.8

CVE-2026-24237 NVIDIA NVTabular Deserialization Remote Code Execution Vulnerability

NVIDIA NVTabular is vulnerable to unsafe deserialization of untrusted data. An attacker with local access and basic user privileges could exploit this flaw to execute arbitrary code, modify data, or steal sensitive information from systems running the affected software.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24237 is a deserialization vulnerability (CWE-502) in NVIDIA NVTabular that permits improper handling of untrusted serialized objects. The vulnerability requires local access and a valid user account but no additional privilege escalation or user interaction. Once triggered, successful exploitation can result in arbitrary code execution within the privileges of the calling process, enabling both confidentiality and integrity violations. The CVSS 3.1 score of 7.8 reflects the high impact across confidentiality, integrity, and availability combined with the local attack vector and low complexity.

Business impact

Organizations using NVTabular in data science or machine learning pipelines face risk of workload compromise. A malicious insider or lateral movement attacker could weaponize this to exfiltrate training datasets, inject malicious models, or disrupt analytics infrastructure. In regulated environments (financial services, healthcare, automotive), such compromise could trigger compliance incidents, data breach notification obligations, and reputational damage. The local-only attack vector limits blast radius but should not reduce urgency in shared compute environments or cloud deployments where multi-tenant isolation is incomplete.

Affected systems

NVIDIA NVTabular is the sole affected product. Deployments include on-premises data science clusters, Jupyter environments, containerized analytics platforms, and cloud-based ML workflows. Teams using NVTabular for feature engineering, data preprocessing, or exploratory data analysis should inventory their installations and verify patch status. Check both direct usage and transitive dependencies in data pipeline orchestration tools.

Exploitability

Exploitation requires local system access and valid user credentials; remote exploitation is not possible. However, complexity is low—an attacker need only craft a malicious serialized Python object (e.g., pickle payload) and supply it to a vulnerable NVTabular function. In shared development environments, multi-user containers, or lateral-movement scenarios, this becomes practical. The vulnerability does not require user interaction, making it suitable for automated attack chains. No public exploit code or active exploitation has been reported as of the modification date, but the attack surface remains broad given serialization's ubiquity in data processing libraries.

Remediation

Patch NVTabular to the latest version provided by NVIDIA addressing CWE-502. Until patching is feasible, restrict local access to systems running NVTabular, enforce strong authentication and session isolation, and avoid deserializing untrusted data sources. In sandbox or isolated development environments, consider temporary restrictions on untrusted user uploads or data imports. Monitor for suspicious process spawning or anomalous I/O from NVTabular processes.

Patch guidance

Verify the specific patched version through the official NVIDIA NVTabular repository and release notes. Apply patches first to non-production environments and test data pipeline functionality before rolling out broadly. Given the local-only attack vector, patching can be staged by environment sensitivity, but all instances handling untrusted external data should be prioritized. Track patch deployment using your configuration management or vulnerability tracking system.

Detection guidance

Monitor for deserialization-related exceptions or errors in NVTabular logs. Look for unexpected child process creation spawned by Python/NVTabular workers, unusual network connections initiated from data processing nodes, or file writes to unexpected locations. Intrusion detection signatures targeting pickle exploits or similar Python deserialization attacks may yield detection opportunities. In containerized environments, monitor for privilege escalation attempts or container escape indicators. Endpoint detection and response (EDR) tools should flag anomalous behavior in data science workloads.

Why prioritize this

Although not yet on the CISA KEV catalog, this HIGH-severity vulnerability combines code execution capability with local attack vector in widely deployed ML infrastructure. Prioritize if your organization: (1) runs NVTabular in environments with untrusted users or lateral-movement risk; (2) processes sensitive or regulated data through NVTabular pipelines; or (3) operates shared data science platforms. Non-production or low-sensitivity deployments may defer patching slightly longer, but should not remain unpatched indefinitely.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects full impact to confidentiality, integrity, and availability (all rated as H) balanced against a local attack vector and low-privilege attacker requirement. The absence of user interaction and low attack complexity elevate the score despite local-only access. This places it firmly in the patch-soon category for most organizations, though not in the immediate-drop-everything tier reserved for critical remote code execution with no privilege requirement.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-24237 requires local system access and valid user credentials. It cannot be exploited over the network alone. However, in cloud or multi-tenant environments, an attacker who gains initial access through other means could leverage this to escalate or move laterally.

Do we need to patch if NVTabular only processes trusted, internal data?

Risk is significantly lower in that scenario, but not zero. If all data inputs are validated and sourced only from trusted internal systems, and access to the NVTabular system is tightly controlled, immediate patching may be deferred. However, you should still patch promptly once a tested version is available, as assumptions about data trust can change.

What should we do if we cannot patch immediately?

Restrict local user access to systems running NVTabular; enforce strong authentication and multi-factor authentication where possible. Avoid importing untrusted serialized data, validate all external inputs before passing them to NVTabular functions, and monitor processes for suspicious behavior. Isolate NVTabular systems from lateral-movement pathways in your network.

How do we know if we are running an affected version?

Check the version of NVTabular installed via `pip show nvtabular` or equivalent in your environment. Cross-reference with NVIDIA's official security advisory and release notes to confirm whether your version is patched. Maintain an inventory of NVTabular deployments across your data science infrastructure so you can quickly assess scope.

This analysis is based on information available as of June 2026. CVSS scores and vulnerability details are provided by NVIDIA and the CVE database and should not be modified without reference to official sources. SEC.co does not provide legal advice. Organizations should verify patch availability and compatibility with their specific NVTabular versions and dependent systems before deployment. No guarantee is made regarding the completeness or accuracy of detection signatures. Readers assume full responsibility for vulnerability management decisions in their environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).