Description
NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NVIDIA NeMo Framework is a code injection flaw that can allow an attacker to execute arbitrary code, potentially escalating privileges, divulging confidential information, or tampering with data. The flaw potentially permits inserting malicious code into the execution context of the framework, leading to compromise of confidentiality, integrity, and availability as outlined by CWE-94. Based on the description, it is inferred that the attack vector could be a remote code injection through unsanitized input or configuration, although the precise path is not specified in the CVE data.

Affected Systems

NVIDIA NeMo Framework across all platforms is affected. The CVE does not enumerate specific affected versions, so any installed instance of the NeMo Framework, regardless of version, should be considered at risk unless a later release explicitly states otherwise.

Risk and Exploitability

The CVSS score of 7.8 indicates a High severity impact. The EPSS score of less than 1% suggests exploitation likelihood is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves remote code injection leveraging untrusted inputs into the framework; exploiting this flaw would grant an attacker the ability to run arbitrary code with the privileges of the NeMo process. Given the absence of an available exploit in the public domain and the low EPSS rating, the immediate risk is moderate, but the potential consequences warrant prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NVIDIA NeMo Framework to the latest patched release that addresses the code injection flaw
  • Restrict the framework’s runtime privileges and run it within a minimal‑privilege container or sandbox
  • Enable comprehensive logging and monitoring for anomalous code execution or unexpected input that could indicate injection attempts

Generated by OpenCVE AI on June 17, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Code Injection Vulnerability in NVIDIA NeMo Framework

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia nemo
CPEs cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*
Vendors & Products Nvidia nemo

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia nemo Framework
Vendors & Products Nvidia
Nvidia nemo Framework

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Nvidia Nemo Nemo Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-06-17T03:55:57.755Z

Reserved: 2026-01-21T19:09:29.851Z

Link: CVE-2026-24155

cve-icon Vulnrichment

Updated: 2026-06-16T17:44:07.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T17:16:39.440

Modified: 2026-06-16T20:38:09.253

Link: CVE-2026-24155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T20:45:03Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')