{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24156", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:29.851Z", "datePublished": "2026-04-07T17:11:16.386Z", "dateUpdated": "2026-04-07T19:22:32.597Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-07T17:11:16.386Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code Execution"}]}], "affected": [{"vendor": "NVIDIA", "product": "DALI", "platforms": ["All"], "versions": [{"status": "affected", "version": "All versions prior to 2.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24156"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24156"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5811"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:18:21.531960Z", "id": "CVE-2026-24156", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:22:32.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24156", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T19:18:21.531960Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:18:26.978Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code Execution"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "DALI", "versions": [{"status": "affected", "version": "All versions prior to 2.0"}], "platforms": ["All"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24156"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24156"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5811"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-07T17:11:16.386Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24156", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:22:32.597Z", "dateReserved": "2026-01-21T19:09:29.851Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-04-07T17:11:16.386Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution."}], "id": "CVE-2026-24156", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:39.647", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24156"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5811"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24156"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["All"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "dali", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-04-07T21:23:17.395447+00:00", "value": {"mitigation_remediation": ["Check NVIDIA\u2019s website or support portal for an available patch or an official update to DALI.", "If a patch is released, apply the update immediately and verify that the vulnerable functionality is removed.", "In the absence of a patch, restrict access to the DALI interface so that only trusted applications or users can provide input data.", "Where feasible, add input validation or deserialization guard logic to reject data that does not meet expected formats.", "Monitor system logs for unexpected deserialization activity and investigate any anomalies promptly."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in NVIDIA DALI. No specific version information is supplied in the CVE record, so all releases of DALI should be considered potentially affected until further clarification is provided.", "description_and_impact": "NVIDIA DALI contains a flaw that allows the deserialization of untrusted data. This weakness can let an attacker execute arbitrary code within the DALI process, potentially compromising confidentiality, integrity, and availability of systems that rely on it.", "risk_and_exploitability": "The flaw has a CVSS score of 7.3, indicating high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the potential for arbitrary code execution makes it a significant risk. Based on the description, the likely attack vector is the delivery of malicious data to the DALI component\u2014such as through API calls, embedded data streams, or input files\u2014though the exact conditions are not detailed. An attacker who can supply such data could potentially take control of the affected system."}}}}, "created": "2026-04-08T19:47:25.754883+00:00", "title": "Untrusted Data Deserialization in NVIDIA DALI Allows Arbitrary Code Execution", "updated": "2026-04-09T08:24:02.985613+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$dali"]}