CVE-2026-24155
HIGH · 7.8Real vuln, vendor patching urgently, but no PoC/KEV-list or in-the-wild signals yet.
What: Code injection vulnerability in NVIDIA NeMo Framework (all platforms) enabling remote code execution, privilege escalation, and data tampering. CVSS 7.8 HIGH.
Why it matters: Published 16 June 2026; security researcher recommendation to update to v2.7.3 indicates patch availability and active advisory awareness. Not yet KEV-listed, but immediate patching guidance and multiple CVE linkage suggest vendor coordination. No public PoC reported in chatter.
Where it's seen: Security feed aggregation (HackerWire, PatchStack) and researcher alerts on social platforms within 24 hours of NVD publication. Bundled with two related NeMo CVEs (24252, 24228) amplifying visibility.
RISK: HIGH — Code injection + RCE scope across all platforms; patch available same-day publication.
Description
NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVSS 3.1 breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Local
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High