How is CVE-2026-24155 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): Any low-privilege local account is sufficient; no elevated or administrative credentials are needed. Victim interaction (not-required): No user action is needed; the attacker can trigger the injection without involving any other account or session. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-24155?

Executes arbitrary code in the context of the NeMo Framework process, allowing the attacker to run commands on the host. Escalates privileges beyond the initial low-privilege account, potentially gaining control of the host or container runtime. Reads confidential data accessible to the process, including model weights, training datasets, credentials, and environment variables. Modifies or destroys persisted data, including model checkpoints, experiment results, and configuration files.

Back to search

HIGHCVE-2026-24155Published 2026-06-16Modified 2026-06-16CNA nvidia

CVE-2026-24155: NVIDIA NeMo Framework for all platforms contains a code injection vulnerability

NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A code injection vulnerability affects NVIDIA NeMo Framework versions 0.0 through 2.7.2 on all platforms. The flaw is reachable locally by any low-privilege account, requires no victim interaction, and is reliable to exploit. Successful exploitation gives an attacker full code execution on the host, the ability to escalate privileges, read sensitive data, and tamper with stored data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment NVIDIA publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle NeMo Framework. Any image in a connected registry or CI pipeline running an affected version (0.0 through 2.7.2) is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing directs the alert to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available

Patch

No fix version has been published by NVIDIA as of this record. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative credentials are needed.
Victim interactionNot required
No user action is needed; the attacker can trigger the injection without involving any other account or session.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

Executes arbitrary code in the context of the NeMo Framework process, allowing the attacker to run commands on the host.
Escalates privileges beyond the initial low-privilege account, potentially gaining control of the host or container runtime.
Reads confidential data accessible to the process, including model weights, training datasets, credentials, and environment variables.
Modifies or destroys persisted data, including model checkpoints, experiment results, and configuration files.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-24155 is active across all connected registries and pipelines, flagging any image that includes NeMo Framework 0.0 through 2.7.2. Because no upstream fix has been published, HarborGuard monitors the NVIDIA advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is released. For customers with auto-remediation enabled, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation of any container running NeMo Framework to limit lateral movement if the host account is compromised, egress filtering to prevent exfiltration of model data or credentials, and removing NeMo Framework from images where it is not actively needed at runtime.

See how HarborGuard automates this

Affected packages

NVIDIA / NeMo Framework
Versions 0.0 to 2.7.2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified