Category Archives: AI and ML

CVE-2026-56287: A Boolean-based blind vulnerability exists in Apache Fineract’s Client Search API (17th July 2026)

Preface: AI systems use Apache Fineract’s Client Search API through AI-to-banking bridges like Model Context Protocol (MCP) servers. [1, 2]

The OpenMF (Mifos Initiative) community actively maintains mcp-mifosx, an MCP server designed to connect Large Language Models (LLMs) and AI agents to the Apache Fineract core banking platform. When an AI assistant handles customer analysis, automated loan processing, or fraud detection, it relies heavily on the Client Search API to locate customer profiles, verify financial details, and navigate banking data.

Individual AI model inherently owns or hardcodes Apache Fineract’s Client Search API. Instead, any LLM or AI model (such as Anthropic’s Claude, OpenAI’s GPT-4o, or Google’s Gemini) can use this API by leveraging the newly standardized Model Context Protocol (MCP).

Background: In versions up to and including 1.14.0, Apache Fineract fails to properly validate the orderBy and sortOrder request parameters in its Client Search API.

Developers often use parameterized queries (Prepared Statements) for standard WHERE clauses. However, SQL syntax does not allow parameters for ORDER BY column names or directions. Because of this, developers sometimes make the mistake of using raw string concatenation for sorting clauses.

An authenticated user can inject arbitrary SQL queries. Because the backend database behavior (like the order or presence of returned items) changes depending on whether an injected True/False logic statement matches, attackers can extract full database schemas and records character-by-character. On MySQL or MariaDB, it can even trigger LOAD_FILE() to read local system files.

From technical point of view, MCP servers act as bridges connecting Large Language Models (LLMs) to enterprise data tools. If an AI agent interacts with the Fineract API hosted on your MCP server, an attacker could abuse the agent via indirect prompt injection (e.g., feeding the AI a malicious string via user profile fields) to silently trigger the blind SQLi payload.

Furthermore, AI agents often operate under a perimeter of trusted workflows. A successful boolean blind SQLi can leak sensitive credentials from your database or local server files. The attacker can then force the MCP server to abuse its broad integrations (like executing host commands or calling external APIs).

Vulnerability details: A boolean-based SQL Injection vulnerability exists in Apache Fineract’s Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix.

Affected versions:

  • Apache Fineract 1.14.0
  • Apache Fineract 1.15.0 unaffected

Official announcement: Please refer to the link for details –

https://www.tenable.com/cve/CVE-2026-56287

CVE-2026-24233: Deserialization of Untrusted Data havoc TensorRT-LLM (16th Jul 2026)

Preface: DeepSpeed MII, an open-source Python library developed by Microsoft, aims to make powerful model inference accessible, emphasizing high throughput, low latency, and cost efficiency. TensorRT LLM, an open-source framework from NVIDIA, is designed for optimizing and deploying large language models on NVIDIA GPUs.

Microsoft’s DeepSpeed suite (including DeepSpeed-MII) and NVIDIA’s TensorRT-LLM each use their own proprietary kernel optimizations, memory management systems, and compilation workflows.

Background: During the early development lifecycle of TensorRT-LLM (v0.x through early v1.x), the framework relied heavily on PyTorch routines to read incoming checkpoint binaries primarily due to an aggressive development timeline focused on rapid time-to-market and deep integration with the existing Hugging Face/PyTorch ecosystem.Rather than building custom, bare-metal file deserializers from scratch, NVIDIA engineers utilized PyTorch as a bridge to quickly establish functional features.

The early reliance on standard PyTorch routines (like torch.load()) to read checkpoint binaries is directly related to why an initialized RestrictedUnpickler did not mandate a strict Register Allowlist restriction (Safe Globals).The technical breakdown of why this occurred during the v0.x through early v1.x lifecycle includes:

The Open-World “Arbitrary Tensor” ProblemTo implement a strict RestrictedUnpickler with an active Register Allowlist, a developer must know every single class, module, and data type that will ever appear in the input file.

The Reality: In early TensorRT-LLM releases, scripts had to support checkpoints coming from Hugging Face, deep-speed saves, raw PyTorch, Megatron-LM, and dozens of community-forked models.

The Conflict: If NVIDIA engineers had mandated a strict Safe Globals allowlist, any checkpoint containing custom third-party extensions, custom metadata classes, or non-standard tensor storages (like specialized quantization state structures) would have instantly triggered a _pickle.UnpicklingError. Mandating it would have severely hindered user adoption.

Vulnerability details: CVE-2026-24233 NVIDIA TensorRT-LLM for Linux contains a vulnerability in the restricted unpickler used for model weight deserialization, where a local, unauthenticated attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

Official announcement: Please refer to the link fore details – https://nvidia.custhelp.com/app/answers/detail/a_id/5840

CVE-2026-10666: The bug was introduced when the parser was added (Zephyr v1.9.0) and shipped in all releases through v4.4.0. (15th July 2026)

Preface: Zephyr (backed by the Linux Foundation) frequently trades places with FreeRTOS as the most widely adopted open-source RTOS in embedded industry surveys.

Background: While Zephyr introduced a completely revamped, native IP stack in version v1.7.0 (migrating away from its original heavily modified uIP foundation), it initially lacked standardized support for string-to-numeric IP address translation within its native tools and DNS resolver interfaces. Applications handling raw string literals had to rely on manual, custom string splitting or external parsing logic.

In traditional networking, parsing an IP address string requires guessing the IP version first or making separate, verbose calls to POSIX functions like inet_pton(). Zephyr’s native utility is specifically optimized for resource-constrained IoT environments where code space and RAM are heavily restricted.

The net_ipaddr_parse() utility was introduced to simplify and unify string-to-binary conversion for dual-stack (IPv4 and IPv6) address processing into a single, light footprint function. The parser was first introduced (v1.9.0), confirming it does not exist in older codebases.

Ref: This specific utility (net_ipaddr_parse()) became widely documented due to a security flaw identified in CVE-2026-10666. Security audits explicitly track this stack-based buffer overflow vulnerability back to the very commit where the parser was first introduced (v1.9.0), confirming it does not exist in older codebases.

Vulnerability details: CVE-2026-10666 was introduced when an address parser was added way back in Zephyr version 1.9.0, and it has quietly shipped in all subsequent releases up through version 4.4.0.

An attacker triggers this weakness during the network address resolution phase. If an application attempts to resolve a network-influenced address string—such as through a custom DNS configuration or the zsock_getaddrinfo API—the attacker can supply a specially crafted address containing an oversized port suffix. For example, feeding a literal IP followed by hundreds of bytes of an attacker-controlled payload.”

The root cause lies in how copy_len is derived. The function calculates the length using the logic str_len - end - 1. Because the total incoming string length is completely unbounded, an attacker can manipulate this math to force an arbitrarily large copy_len.

When the program executes memcpy to copy the port string into the fixed 17-byte ipaddr stack buffer, it triggers an out-of-bounds stack write. This immediately results in memory corruption, a total Denial of Service, or potentially control-flow hijacking.”

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-10666

“CVE-2026-24240, CVE-2026-24243 through 24245, 24247, and 24249: NVIDIA Megatron Bridge…”

Date of publication of this article: 14th July 2026

Preface: AI vendors typically use Hugging Face for initial fine-tuning, but once they need massive scale (tensor, pipeline, and sequence parallelism), they use the Bridge to convert HF checkpoints into Megatron format.

Ref: Hugging Face acts as the repository (like a “GitHub for AI”) where developers download these pre-trained models rather than building them from scratch.

Background: The NVIDIA Megatron Bridge belongs squarely to the Training and Customization pillars of the NVIDIA NeMo Framework.

Megatron Bridge includes Qwen-VL processing components to enable scalable distributed training, Supervised Fine-Tuning (SFT), and bidirectional checkpoint conversion for Qwen-VL foundation models on NVIDIA infrastructure.

Qwen models process video inputs natively by integrating 3D convolutions and multimodal rotary embeddings. The Megatron Bridge includes these exact Qwen-VL architecture definitions (e.g., Qwen35VLBridge) to correctly translate data between the Hugging Face framework and Megatron’s Core.

Where merge[.]py and shuffle[.]py Fit In?

Scripts handling actions like merge or shuffle typically live in the following areas of the ecosystem:

• src/megatron/bridge/data/: Submodules here handle on-the-fly streaming, iterating, and formatting of text/VLM data.

• scripts/ / tools/: Utility workflows built alongside Megatron Core use standalone python tools (like merge_datasets[.]py or preprocess_data[.]py) to consolidate large dataset shards and randomize training inputs.

Vulnerability details: Note on Parallel Vulnerabilities – The exact same insecure deserialization mechanic (pickle[.]loads() / np[.]load) shown above handles user inputs across adjacent workflows, triggering CVE-2026-24243 in the Qwen VL video processing components, and CVE-2026-24244, 24245, 24247, and 24249 within the wider data packaging and sample chunking scripts.

The identical descriptions for CVE-2026-24240, CVE-2026-24243, CVE-2026-24244, CVE-2026-24245, CVE-2026-24247, and CVE-2026-24249 occur because NVIDIA grouped multiple distinct insecure deserialization instances across separate files into one security release.

Details of above multiple vulnerabilities –

NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

CWE-502 – The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Impact – Code execution, escalation of privileges, data tampering, information disclosure.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5841

Security Bulletin: NVIDIA ConnectX and BlueField – June 2026 (CVE-2025-23351 and CVE-2025-23350) 7th Jul 2026

Preface: While tech giants like Google rely on custom TPUs to cut costs and scale internal models like Gemini, NVIDIA remains globally dominant. This is because AWS and other cloud providers do offer NVIDIA H100s Amazon EC2 P5 Instances, and NVIDIA possesses an unmatched software ecosystem and universal hardware compatibility.

The NVIDIA ConnectX and BlueField command interface allows host software and firmware to communicate directly using the hardware’s internal mlx5 messaging layout. When Single Root I/O Virtualization (SR-IOV) is enabled, a local user or Virtual Machine (VM) interacting with a Virtual Function (VF) gains direct hardware access through this command interface to accelerate network capabilities.

Background: NVIDIA Secuirty Bulletin stated that a design weakness where local users with VF access could cause out-of-bounds write. However, there is ICM Page Limiting feature that the command interface enforces rules that prevent unprivileged guest users from overloading the server. Administrators can use the page_limit feature to cap the firmware interface memory (Internal Context Memory / ICM) that a rogue VF can pin down, avoiding host resource exhaustion? Do you think this function operate well in secure by design?

Answer: No, the ICM Page Limiting function does not operate well on its own under a strict “Secure by Design” philosophy when a severe memory corruption flaw like CVE-2025-23351 or CVE-2025-23350 is present.

While ICM Page Limiting is an excellent operational control for managing fair resource allocation, it falls short as a primary security defense because of how the two features interact at the architecture level. For details, please refer to attached infographic.

Vulnerability details:

CVE-2025-23351 and CVE-2025-23351 – NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5699

CVE-2026-24270: About NVIDIA AIStore framework (6th July 2026)

Official published: 30th June 2026

Preface: Tailoring AI training for petascale environments (hundreds of GPUs/TPUs) requires distributed parallelism, robust fault tolerance, and specialized hardware-aware data pipelines. It is essential to balance computational scale across memory, storage bandwidth, and communication.

Background: NVIDIA AIStore is a lightweight, distributed object storage system built from scratch and specifically tailored for petascale AI training and inference workloads. It acts as a high-performance, horizontally scalable storage middleware designed to keep powerful GPUs fed with data and eliminate I/O bottlenecks.

What NVIDIA AIStore Actually Manages? Instead of routing GPU math, AIStore acts as an ultra-fast, horizontally scalable storage middleware to feed those GPUs. Its job is to eliminate I/O bottlenecks so your multi-dimensional parallel cluster doesn’t sit idle waiting for data.

Immediately Invoked Function Expression (IIFE) is a JavaScript design pattern where a function is defined and executed immediately. It creates an isolated local scope, preventing variables from polluting the global environment. IIFE is a purely software-level coding structure used in web development and Node.js.

When Would JavaScript See It?The only exception is if you are running a local Node.jsapplication directly on your machine (not inside a browser) and you explicitly write code to read the $HOME/.config/ais/cli/auth[.]token file.

Ref: A Bearer MALFORMED_OR_EMPTY_STRING pattern represents an API authorization header request where the actual security token is missing, null, broken, or literally replaced by an error message string (e.g., Authorization: Bearer undefined).

While this is fundamentally a client-side programming error, it is highly dangerous to backend systems because of how poorly written security middleware handles it.

Vulnerability details: CVE-2026-24270 NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5849

CVE-2026-24260: NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. (3rd July 2026)

Preface: The core difference between the NVIDIA Container Toolkit and the NVIDIA GPU Operator is their scope of management: the NVIDIA Container Toolkit is a low-level component that enables individual container runtimes (like Docker or containerd) to talk to a local GPU, while the NVIDIA GPU Operator is a high-level orchestration system that automatically deploys and manages that toolkit—along with drivers and monitoring software—across an entire Kubernetes cluster.

Background: The NVIDIA Container Toolkit is a collection of libraries and utilities that allows containers (like Docker, Podman, and Kubernetes) to automatically detect and leverage NVIDIA GPUs. It handles the heavy lifting of mapping GPU devices and mounting necessary driver libraries directly into the container.

The toolkit is made up of a few core components that work together behind the scenes:

•NVIDIA Container Toolkit CLI (nvidia-ctk): The main command-line tool used to configure container runtimes to use NVIDIA GPUs. It sets up the backend configurations for tools like Docker, containerd, and CRI-O.

•NVIDIA Container Runtime (nvidia-container-runtime): A wrapper around standard low-level container runtimes (like runC) that injects the required GPU devices and drivers when a container starts.

•NVIDIA Container CLI (nvidia-container-cli): The low-level utility that inspects the host environment, enumerates GPUs, and configures the container execution environment.

•NVIDIA Container Library (libnvidia-container): The underlying programming library that provides the API to construct and manage the GPU-accelerated containers.

•NVIDIA CDI Hooks (nvidia-cdi-hook): Uses the open standard Container Device Interface (CDI) to seamlessly specify and allocate GPU devices to containers.

Vulnerability details: CVE-2026-24260 NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5850

CVE-2026-53311: A memory handling vulnerability in the FUSE subsystem of the Linux Kernel. (2026-06-29)

Preface: KMSAN (Kernel Memory Sanitizer) was developed by Google. It is a dynamic error detector for the Linux kernel that finds uninitialized memory accesses.

Background: The main feature of fuse_dentry_revalidate() in Linux is to verify and refresh the validity of a directory entry (dentry) and its associated inode in the kernel’s cache before they are used. It bridges the gap between the kernel’s Virtual File System (VFS) and the userspace FUSE daemon.

The frequency of fuse_dentry_revalidate() calls in an HPC process is highly frequent and scales directly with metadata-intensive file operations. In a typical High-Performance Computing (HPC) workload, this function can be triggered millions of times per second, often becoming a major performance bottleneck due to excessive network round-trips to the storage server.

The Linux Kernel VFS (Virtual File System) calls fuse_dentry_revalidate() every time a process attempts to look up, open, or stat a file path to verify if the cached directory entry (dentry) is still valid.

HPC applications frequently invoke this function due to specific behavioral patterns:

  • Massive File Scanning: MPI jobs searching through deep directory structures or loading millions of small shared data files.
  • Shared Library Loading: Thousands of parallel processes concurrently running ld.so, which searches LD_LIBRARY_PATH and issues repetitive stat() and open() calls on shared files (e.g., Python workloads loading packages like NumPy).
  • N-to-N File Access: Multiple compute nodes constantly polling or reading files created by other nodes, forcing the kernel to re-validate the cache.

Vulnerability details: CVE-2026-53311 is a memory handling vulnerability in the FUSE (Filesystem in Userspace) subsystem of the Linux Kernel. The primary impact is system availability loss and potential internal kernel memory disclosure.

Attack Vector: Exploitation requires local access. An attacker must be able to mount a FUSE filesystem or trigger fuse_dentry_revalidate through file operations like opening a path.

How to Mitigate:Update Kernel: The issue is resolved by upgrading your Linux kernel to 6.18.34, 7.0.10, or applying the upstream patch across applicable stable releases.

Official announcement: Please refer to the link for detailshttps://www.tenable.com/cve/CVE-2026-53311

CVE-2026-52966: A design flaw in the Linux kernel direct rendering manager (DRM). Don’t underestimate it! (26th Jun 2026)

Preface: Syzbot is an automated testing system operated by Google that continuously tests the Linux kernel to discover hidden bugs, crashes, and security vulnerabilities. It runs a public Syzbot control panel that lists all active bugs, helps developers track fix progress, and sends crash reports directly to Linux community mailing lists.

Background: Linux kernel’s Direct Rendering Manager (DRM) is deeply connected to both the GPU shader cores and the rendering process. It acts as the “traffic cop” and resource manager for your graphics hardware.

The details below are an expansion of the remedies associated with the infographic in this article.

idrobj = idr_replace(&file_priv->object_idr, obj, handle);

idr is the mechanism used in the Linux core to map integer IDs (such as handle) to indicators (such as obj). Idr_replace will replace the old object originally mapped at the handle position with the new obj (obj here is usually NULL, which means releasing or clearing the mapping). Return value: This function returns the old indicator originally stored at this location. If the replacement is successful and was originally empty, NULL should be returned.

spin_unlock(&file_priv->table_lock);

Function: Release the spinlock (Spinlock). Technical details: table_lock is a protection lock set to prevent multiple execution threads from modifying the IDR table at the same time. After modifying the table (executing idr_replace), it must be unlocked immediately so that other threads can access the table.

WARN_ON(idrobj != NULL);

Function: Error checking and warning. Technical details: This is a core debugging mechanism.

Vulnerability details: CVE-2026-52966 is a logic bug in the Linux kernel . It happens when the system accidentally mixes up the old and new addresses of an internal tracking object . This specific mistake occurs during the DRM (Direct Rendering Manager) driver’s “change handle” process.

The Result: The system gets confused, causing system stability issues (like crashes or errors).

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-52966

CVE-2026-55447: A critical security vulnerability in the AI workflow platform Langflow versions prior to 1.9.2  (25th June 2026)

Preface: AI models do not use Langflow to generate or write code for you. When a large language model (like ChatGPT, Claude, Gemini, or specialized coding assistants) writes code in response to your prompts, it uses its own internal neural network, parameters, and training data.

The relationship between AI and Langflow is actually the exact opposite: human developers use Langflow to build, connect, and manage AI models.

Background: Langflow is an open-source, visual low-code framework specifically built to design, prototype, and deploy Artificial Intelligence (AI) workflows, multi-agent systems, and Retrieval-Augmented Generation (RAG) applications. It functions as a visual orchestration layer that abstracts complex Python AI code into drag-and-drop components.

Langflow features an embedded AI sidekick called the Langflow Assistant. The coolest part about this feature is its “inception-style” architecture: the Langflow Assistant is actually powered by a hidden Langflow graph running behind the scenes on your local server. When you ask it a question or give it a command, it runs an internal AI flow to alter or build the external AI flow you are working on.

When developers use Langflow, the strongest and most effective type of coding is Python-based integration, data orchestration, and AI pipeline customization.

Security Focus: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability.

Ref: Controlling the files ingested into a Retrieval-Augmented Generation (RAG) pipeline means curating, filtering, and optimizing your source data before it is processed by the search and language models.

This process directly dictates the quality of your AI’s responses and prevents the system from “hallucinating” or wasting resources on irrelevant noise.

Affected Nodes on Your Canvas

Any flow using the following visual components prior to version 1.9.2 is vulnerable:

  • Read File (FileComponent)
  • Docling nodes (DoclingInlineComponent, DoclingRemoteComponent)
  • NVIDIA Retriever Extraction (NvidiaIngestComponent)
  • Video File (VideoFileComponent) Unstructured API (UnstructuredComponent)

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-55447