How is CVE-2026-24228 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to trigger the deserialization. Victim interaction (not-required): No user action or social engineering is needed; the attacker can trigger exploitation without any participation from another user. Attack complexity (info): The exploit is reliable and condition-free; no race condition, memory-layout dependency, or other environmental factor must be satisfied.

What is the impact of CVE-2026-24228?

Executes arbitrary code in the context of the NeMo Framework process, enabling full host compromise if the process runs with elevated permissions. Escalates privileges beyond the initial low-privilege account, potentially reaching root or container-escape level access. Modifies persisted model weights, training data, or application configuration stored on the host. Reads sensitive data accessible to the NeMo process, including credentials, API keys, and proprietary model artifacts.

Back to search

HIGHCVE-2026-24228Published 2026-06-16Modified 2026-06-16CNA nvidia

CVE-2026-24228: NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data

NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Deserialization of untrusted data vulnerability in NVIDIA NeMo Framework for Linux allows a local, low-privileged attacker to supply a maliciously crafted payload that the framework deserializes without sufficient validation. The attacker needs an existing low-privilege account on the host and does not require network access or victim interaction. Successful exploitation enables arbitrary code execution, privilege escalation, data tampering, and sensitive information disclosure. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle NVIDIA NeMo Framework. Images running any affected version from 0.0 through 2.7.2 are flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the NVIDIA advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the CVE remains flagged as unresolved on all matching images across any HarborGuard environment where NeMo Framework versions 0.0 through 2.7.2 are detected.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to trigger the deserialization.
Victim interactionNot required
No user action or social engineering is needed; the attacker can trigger exploitation without any participation from another user.
Attack complexityDetail
The exploit is reliable and condition-free; no race condition, memory-layout dependency, or other environmental factor must be satisfied.

Blast Radius

Executes arbitrary code in the context of the NeMo Framework process, enabling full host compromise if the process runs with elevated permissions.
Escalates privileges beyond the initial low-privilege account, potentially reaching root or container-escape level access.
Modifies persisted model weights, training data, or application configuration stored on the host.
Reads sensitive data accessible to the NeMo process, including credentials, API keys, and proprietary model artifacts.

How HarborGuard Handles This

Available on HarborGuard: every image containing NVIDIA NeMo Framework versions 0.0 through 2.7.2 is continuously flagged under this CVE until an upstream patch is published. Because NVIDIA has not released a fix version, HarborGuard cannot yet generate a patched-image rebuild; instead, the advisory is re-evaluated on each ingest cycle so that a rebuild becomes available immediately upon upstream publication. While no code fix exists, customers can apply compensating controls using HarborGuard policy: network-policy isolation can restrict the workload from reaching untrusted data sources that could supply malicious payloads, and admission controls can gate deployment of affected images in production namespaces. For environments where NeMo Framework is not strictly required, disabling or removing the image from active registries is supported through HarborGuard's policy-enforcement workflow. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as a fix version is available upstream.

See how HarborGuard automates this

Affected packages

NVIDIA / NeMo Framework
Versions 0.0 to 2.7.2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified