CVE-2026-24159: Nvidia Nemo Framework RCE Vulnerability

CVE-2026-24159 Overview

CVE-2026-24159 is a remote code execution vulnerability in the NVIDIA NeMo Framework, an open-source toolkit for building generative AI models including large language models, speech, and multimodal systems. The flaw is rooted in unsafe deserialization of untrusted data [CWE-502], allowing an attacker reachable over the network to execute arbitrary code in the context of the NeMo process. Successful exploitation can lead to code execution, privilege escalation, information disclosure, and data tampering against AI training and inference workloads.

Critical Impact

An unauthenticated network attacker can trigger arbitrary code execution on hosts running vulnerable NeMo Framework versions, compromising AI model integrity and the underlying GPU infrastructure.

Affected Products

• NVIDIA NeMo Framework (all versions prior to the fixed release listed in the NVIDIA advisory)
• Deployments running NeMo on Linux hosts with GPU acceleration
• Containerized NeMo workloads pulled from NVIDIA NGC catalogs

Discovery Timeline

• 2026-03-24 - CVE-2026-24159 published to NVD
• 2026-03-31 - Last updated in NVD database

Technical Details for CVE-2026-24159

Vulnerability Analysis

The NeMo Framework processes serialized objects and model artifacts during loading and configuration. The vulnerability allows an attacker to supply crafted serialized data that the framework deserializes without sufficient validation. When the deserializer reconstructs the object graph, attacker-controlled callables or constructors are invoked, leading to arbitrary code execution within the Python process hosting NeMo.

Because NeMo workloads typically run with access to GPUs, model weights, training datasets, and cloud credentials, an attacker gains a high-value foothold. Compromise of a training node can poison downstream models, exfiltrate proprietary datasets, or pivot into adjacent MLOps infrastructure.

Root Cause

The root cause is insecure deserialization [CWE-502]. The framework treats serialized inputs as trusted and reconstructs Python objects without restricting allowed classes or validating provenance. Any data source feeding the affected loader — model checkpoints, configuration files, or network-delivered payloads — becomes an execution sink.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker who can deliver a malicious model artifact, configuration blob, or serialized payload to a NeMo endpoint or shared storage location triggers code execution when the framework loads the data. Common delivery paths include compromised model hubs, attacker-controlled URLs referenced in pipelines, and shared object stores used by ML teams.

No public proof-of-concept code is available for CVE-2026-24159 at the time of writing. Refer to the NVIDIA Support Answer for vendor technical detail.

Detection Methods for CVE-2026-24159

Indicators of Compromise

• Unexpected child processes spawned by Python interpreters running NeMo training or inference scripts.
• Outbound network connections from GPU worker nodes to unfamiliar hosts during model load operations.
• New or modified .nemo, .ckpt, or pickle-based artifacts appearing in shared model stores without a corresponding pipeline run.
• Anomalous reads of credential files, SSH keys, or cloud metadata services from NeMo processes.

Detection Strategies

• Monitor process lineage for python/torchrun parents launching shells, package managers, or network utilities.
• Inspect model artifacts for embedded executable payloads using pickle-scanning tooling before loading.
• Alert on NeMo containers making unexpected egress connections, particularly during checkpoint deserialization.

Monitoring Recommendations

• Enable detailed audit logging on hosts running NeMo and forward events to a centralized analytics platform.
• Track integrity of model registries and object stores with file-hash baselines and write-access alerts.
• Correlate GPU workload telemetry with endpoint behavioral signals to surface deviations from normal training patterns.

How to Mitigate CVE-2026-24159

Immediate Actions Required

• Upgrade NVIDIA NeMo Framework to the fixed version specified in the NVIDIA Security Bulletin.
• Inventory all NeMo deployments, including containers pulled from NGC and developer workstations, and prioritize patching network-exposed instances.
• Restrict model loading to artifacts originating from trusted, signed sources and revoke trust in any externally sourced checkpoints pending review.

Patch Information

NVIDIA has published remediation guidance in advisory a_id/5800. Apply the vendor-supplied update for the NeMo Framework and rebuild any downstream container images that bundle the affected versions. Validate that requirements files and CI/CD pipelines pin only fixed releases.

Workarounds

• Isolate NeMo training and inference hosts on segmented networks with strict egress controls until patches are applied.
• Disable automatic loading of remote or user-supplied model artifacts and require human review before deserialization.
• Run NeMo workloads under least-privilege service accounts with no access to long-lived cloud credentials or production secrets.
• Enforce code-signing or hash verification for all .nemo and pickle-based artifacts loaded by production pipelines.

# Verify installed NeMo version and upgrade to the fixed release
pip show nemo_toolkit | grep -i version
pip install --upgrade "nemo_toolkit[all]"

# Block unsigned model artifacts at the pipeline boundary
sha256sum /models/*.nemo > /models/manifest.sha256
# Compare against the trusted manifest before loading
diff /models/manifest.sha256 /trusted/manifest.sha256 || exit 1