CVE-2026-24186

High

Published: 28 April 2026

Published

28 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents exploitation by validating and sanitizing FOBS-encoded messages to block deserialization of untrusted data.

SI-2 Flaw Remediation good match

prevent

Remediates the root deserialization flaw in the NVIDIA FLARE SDK FOBS component through timely identification, reporting, and patching.

SI-16 Memory Protection good match

prevent

Mitigates arbitrary code execution from deserialization exploits via memory protection mechanisms such as DEP and ASLR.

Security SummaryAI

CVE-2026-24186 is a vulnerability in the NVIDIA FLARE SDK, specifically within its FOBS component, that enables deserialization of untrusted data. An attacker can trigger this by sending a malicious FOBS-encoded message, potentially leading to arbitrary code execution. The issue is classified under CWE-502 (Deserialization of Untrusted Data) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Exploitation requires low privileges (PR:L) and can be performed over the network (AV:N) with low attack complexity and no user interaction. A successful attack allows the adversary to achieve code execution on the targeted system, compromising high levels of confidentiality, integrity, and availability without changing scope.

Mitigation details are available in published advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5819, as well as NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-24186 and CVE record https://www.cve.org/CVERecord?id=CVE-2026-24186. The vulnerability was published on 2026-04-28.

Details

CWE(s): CWE-502

Affected Products

nvidia

nvflare

≤ 2.7.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Deserialization of untrusted data (CWE-502) over a network-accessible interface directly enables remote arbitrary code execution in the FLARE FOBS component, mapping to exploitation of a public-facing application (T1190) followed by Python-based command execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24186
US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5819
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2026-24186
Third Party Advisory · psirt@nvidia.com