NVIDIA Discloses NeMo Command Injection Vulnerability

NVIDIA disclosed three high-severity vulnerabilities in the NeMo Framework, tracked as CVE-2026-24155, CVE-2026-24252, and CVE-2026-24228, each assigned a CVSS v3.1 base score of 7.8, according to NVIDIA's security bulletin. Per the bulletin, CVE-2026-24252 affects Linux NeMo deployments and enables OS command injection; CVE-2026-24155 is a code injection issue affecting all platforms; and CVE-2026-24228 involves unsafe deserialization on Linux. NVIDIA lists affected versions as up to 2.7.2 and published a patched release, NeMo 2.7.3, with fixes, per the vendor advisory. CVE.org and stack.watch confirm CVE-2026-24155 and CVE-2026-24228 as June 16, 2026 publications at CVSS 7.8. The flaws require local access with low privileges and no user interaction but pose meaningful risk in shared compute and multiuser AI infrastructure, per public reporting.
What happened
According to NVIDIA's security bulletin updated June 12, 2026, the company released a security update for the NeMo Framework that addresses three high-severity vulnerabilities. The issues are tracked as CVE-2026-24155, CVE-2026-24252, and CVE-2026-24228, and NVIDIA reports a CVSS v3.1 base score of 7.8 for each. The vendor advisory states affected NeMo versions include releases up to 2.7.2, and NVIDIA published a patched release, NeMo 2.7.3, which it recommends users obtain from the project GitHub, per the bulletin. Public databases including CVE.org and the NVD reflect matching descriptions and severity metrics.
Technical details
Per NVIDIA's bulletin and CVE records, CVE-2026-24252 is an OS command injection vulnerability that specifically impacts Linux deployments of NeMo. The bulletin describes the root cause as improper handling of user-controlled input that can allow an attacker with low privileges and local access to execute system commands. CVE-2026-24155 is documented as a code injection vulnerability affecting all platforms, and CVE-2026-24228 is listed as unsafe deserialization of untrusted data affecting Linux. NVIDIA and the CVE entries enumerate potential impacts as code execution, escalation of privileges, data tampering, and information disclosure. The vendor advisory and public records note the attack vector as local access with no user interaction required.
Industry context
Practical implications for practitioners
Editorial analysis
Framework-level vulnerabilities that permit command or code injection often have outsized operational impact because AI development and deployment environments commonly intermix user scripts, model artifacts, and system orchestration tools. In shared compute clusters, multiuser workstations, and continuous integration pipelines, a low-privilege local exploit can be amplified by permissive mounts, shared credentials, or automated job schedulers. Observers documenting similar incidents note that unsafe deserialization and improper input handling are recurring root causes across ML tooling.
Teams running NeMo in production, model training, or evaluation workflows should treat this as a configuration and supply-chain exposure even though the vendor classifies the attack vector as local. For organizations that host multiuser notebooks, shared GPUs, or automated model evaluation services, the presence of an exploitable NeMo component increases the attack surface for lateral movement and data exfiltration. Patch deployment, artifact integrity checks, and tightening local access controls are typical risk mitigations recommended by security teams for comparable vulnerabilities.
What to watch
- •Editorial analysis: Track adoption of NeMo 2.7.3 in downstream packages and container images; delayed upgrades in CI/CD and DockerHub images are common vectors for lingering exposure.
- •Editorial analysis: Monitor public exploit telemetry and security vendor writeups for proof-of-concept details; those determine how easily the issues can be weaponized in real environments.
- •Editorial analysis: Watch for follow-up advisories from cloud providers, managed ML platforms, and package maintainers that embed NeMo, since those ecosystems control many deployment paths used by practitioners.
Closing note
NVIDIA's bulletin provides the vendor patch and encourages users to evaluate risk based on their configurations. Public vulnerability repositories (CVE.org and NVD) list the same identifiers and severity ratings, and multiple security vendors and research posts have flagged the issues for attention in shared and multiuser AI infrastructure.
Key Points
- 1NVIDIA published patches for three NeMo CVEs (CVE-2026-24155, CVE-2026-24252, CVE-2026-24228), each rated CVSS 7.8, affecting versions up to 2.7.2.
- 2Framework-level command or code injection often escalates risk in multiuser and shared compute environments, even when the attack vector is local.
- 3Practitioners should watch downstream images, CI/CD artifacts, and managed platforms for delayed NeMo upgrades that prolong exposure.
Scoring Rationale
Three high-severity CVEs (CVSS 7.8 each) in NVIDIA NeMo, a widely-used ML framework, with confirmed June 16, 2026 publications for CVE-2026-24155 and CVE-2026-24228. Framework-level command and code injection vulnerabilities have outsized risk in shared compute environments. Rated as a significant security event for AI/ML practitioners.
Sources
Public references used for this report.
View 8 more sources
- 04Vulnerability in Nvidia NeMo Gen-AI Framework - UCSF ITit.ucsf.edu
- 05New Vulnerabilities in NVIDIA NeMo and Meta PyTorchcatonetworks.com
- 06CVE-2025-33246: NVIDIA NeMo Framework RCE Vulnerabilitysentinelone.com
- 07Endor Patches | CVE-2025-33246, NVIDIA NeMo Framework for all ...endorlabs.com
- 08NVIDIA NeMo Archive Extraction Allows Arbitrary File Writehiddenlayer.com
- 09Nemo Framework CVEs and Security Vulnerabilities - OpenCVEapp.opencve.io
- 10CVE-2025-33226 Detail - NVDnvd.nist.gov
- 11NVIDIA NeMo Security Flaw Exposes Systems to Command Injection Attacksgbhackers.com
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
