{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24186", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:32.732Z", "datePublished": "2026-04-28T17:45:40.517Z", "dateUpdated": "2026-04-28T17:45:40.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-28T17:45:40.517Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code Execution"}]}], "affected": [{"vendor": "NVIDIA", "product": "FLARE SDK", "platforms": ["Linux/MacOS"], "versions": [{"status": "affected", "version": "All versions prior to 2.7.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24186"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24186"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5819"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution."}], "id": "CVE-2026-24186", "lastModified": "2026-04-28T20:10:42.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-04-28T19:36:45.277", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24186"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5819"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24186"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T23:11:32.841359+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or update as soon as it becomes available.", "If a patch cannot be applied immediately, limit or disable the FOBS message handling functionality to prevent untrusted data from being processed.", "Monitor network traffic for unexpected or malformed FOBS messages and log any anomalies for further investigation.", "Implement input validation or switch to a safer deserialization library to mitigate the CWE-502 weakness."], "summary": {"action": "Patch when available", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of NVIDIA FLARE SDK are potentially affected. The exact version numbers that contain the flaw are not specified, so every deployed instance should be considered at risk until a vendor patch is released.", "description_and_impact": "NVIDIA FLARE SDK contains a flaw in the FOBS component that allows an attacker to send a maliciously crafted FOBS-encoded message. The SDK will deserialize the data without proper validation, which can trigger arbitrary code execution. The vulnerability is a classic case of Deserialization of Untrusted Data (CWE-502), and a successful exploit could compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Although the input does not state the attack vector, the description of a message that can be sent suggests that the exploit can be performed remotely over a network connection to a system running FLARE SDK. Given the risk rating and the lack of an official patch at this time, the potential for exploitation remains significant."}}}}, "created": "2026-04-28T23:15:43.857343+00:00", "title": "Deserialization of Untrusted Data in NVIDIA FLARE SDK FOBS Leading to Code Execution", "updated": "2026-04-28T23:15:43.857354+00:00", "vendors": []}