AI and ML, Potential Risk of CVE

CVE-2026-24237 and CVE-2026-24221: About NVIDIA NVTabular deserialization

Leave a comment

(4th June 2026)

Preface: From a security engineering standpoint, there is no conceptual difference in the attack mechanism. Both the older vulnerabilities (CVE-2025-33214 / CVE-2025-33213) and the newer ones shown in the diagram share the exact same root weakness: Insecure Deserialization (CWE-502) via Python’s built-in pickle module.

Background:

NVIDIA Merlin & NVTabular (The Pipeline Base) –

NVIDIA Merlin is an end-to-end framework designed to accelerate deep learning recommender systems (RecSys). Within this ecosystem, NVTabular acts as the heavy-lifter for the ETL (Extract, Transform, Load) stage. It uses GPU-accelerated RAPIDS cuDF and Dask under the hood to handle multi-terabyte tabular datasets that exceed system CPU memory.

Integration with cuML and PyTorch –

To achieve maximum throughput, the pipeline passes these highly optimized, GPU-aligned data tensors directly into training frameworks (like PyTorch) or machine learning libraries (like cuML for clustering, classification, or collaborative filtering). The critical security boundary exists where these components save, transfer, or load their execution states across different nodes or microservices.

Vulnerability details: Both CVE-2026-24237 and CVE-2026-24221 are categorized under CWE-502: Deserialization of Untrusted Data.

  • Serialization is the process of converting an in-memory object (like an NVTabular transformer setup or a cuML model state) into a byte stream for storage or transmission.
  • Deserialization reverse-engineers that byte stream back into an active living object in memory.

Why Python’s pickle Module is Inherently Insecure?

The flaw stems from the pipeline’s reliance on Python’s native pickle module for saving and reloading model states or custom transformer pipelines.

pickle is not a safe serialization format because it does not just store raw data; it stores object reconstruction instructions. It utilizes a stack-based virtual machine (the Pickle VM) to execute these instructions sequentially when building the object back up.

Official announcement: Please refer to link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5851

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.