NVIDIA disclosed three high-severity vulnerabilities in the NeMo Framework, tracked as CVE-2026-24155, CVE-2026-24252, and CVE-2026-24228, each assigned a CVSS v3.1 base score of 7.8, according to NVIDIA's security bulletin. Per the bulletin, CVE-2026-24252 affects Linux NeMo deployments and enables OS command injection; CVE-2026-24155 is a code injection issue affecting all platforms; and CVE-2026-24228 involves unsafe deserialization on Linux. NVIDIA lists affected versions as up to 2.7.2 and published a patched release, NeMo 2.7.3, with fixes, per the vendor advisory. Public vulnerability databases (CVE.org, NVD) mirror these records. The flaws require local access with low privileges and no user interaction but pose meaningful risk in shared compute and multiuser AI infrastructure, according to public reporting.
What happened
According to NVIDIA's security bulletin updated June 12, 2026, the company released a security update for the NeMo Framework that addresses three high-severity vulnerabilities. The issues are tracked as CVE-2026-24155, CVE-2026-24252, and CVE-2026-24228, and NVIDIA reports a CVSS v3.1 base score of 7.8 for each. The vendor advisory states affected NeMo versions include releases up to 2.7.2, and NVIDIA published a patched release, NeMo 2.7.3, which it recommends users obtain from the project GitHub, per the bulletin. Public databases including CVE.org and the NVD reflect matching descriptions and severity metrics.
Technical details
Per NVIDIA's bulletin and CVE records, CVE-2026-24252 is an OS command injection vulnerability that specifically impacts Linux deployments of NeMo. The bulletin describes the root cause as improper handling of user-controlled input that can allow an attacker with low privileges and local access to execute system commands. CVE-2026-24155 is documented as a code injection vulnerability affecting all platforms, and CVE-2026-24228 is listed as unsafe deserialization of untrusted data affecting Linux. NVIDIA and the CVE entries enumerate potential impacts as code execution, escalation of privileges, data tampering, and information disclosure. The vendor advisory and public records note the attack vector as local access with no user interaction required.
Industry context
Editorial analysis: Framework-level vulnerabilities that permit command or code injection often have outsized operational impact because AI development and deployment environments commonly intermix user scripts, model artifacts, and system orchestration tools. In shared compute clusters, multiuser workstations, and continuous integration pipelines, a low-privilege local exploit can be amplified by permissive mounts, shared credentials, or automated job schedulers. Observers documenting similar incidents note that unsafe deserialization and improper input handling are recurring root causes across ML tooling.
Practical implications for practitioners
Editorial analysis: Teams running NeMo in production, model training, or evaluation workflows should treat this as a configuration and supply-chain exposure even though the vendor classifies the attack vector as local. For organizations that host multiuser notebooks, shared GPUs, or automated model evaluation services, the presence of an exploitable NeMo component increases the attack surface for lateral movement and data exfiltration. Patch deployment, artifact integrity checks, and tightening local access controls are typical risk mitigations recommended by security teams for comparable vulnerabilities.
What to watch
- •Editorial analysis: Track adoption of NeMo 2.7.3 in downstream packages and container images; delayed upgrades in CI/CD and DockerHub images are common vectors for lingering exposure. - •Editorial analysis: Monitor public exploit telemetry and security vendor writeups for proof-of-concept details; those determine how easily the issues can be weaponized in real environments.
- •Editorial analysis: Watch for follow-up advisories from cloud providers, managed ML platforms, and package maintainers that embed NeMo, since those ecosystems control many deployment paths used by practitioners.
Closing note
NVIDIA's bulletin provides the vendor patch and encourages users to evaluate risk based on their configurations. Public vulnerability repositories (CVE.org and NVD) list the same identifiers and severity ratings, and multiple security vendors and research posts have flagged the issues for attention in shared and multiuser AI infrastructure.
Scoring Rationale #
The vulnerabilities affect a widely used ML framework and carry high CVSS scores, making this notable for practitioners managing shared compute and CI/CD. The story is not paradigm changing, so it rates as a significant security event rather than industry-shifting research.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.