CVE-2026-24228
HIGH · 7.8Real vuln with patch released, but no PoC/KEV; mostly vendor+news amplification.
What: NVIDIA NeMo Framework (Linux) deserialization vulnerability allowing untrusted data processing leading to code execution, privilege escalation, and data tampering (CVSS 7.8 HIGH).
Why it matters: Published 16 June 2026; NVIDIA has issued patched version (v2.7.3) cited in vendor guidance. No KEV listing yet, but bundled with two sibling CVEs (CVE-2026-24155, CVE-2026-24252) all enabling code execution. Chatter emphasizes immediate patching urgency and affects AI/ML infrastructure operators.
Where it's seen: Social posts aggregating NVD metadata and vendor advisories; security news wire coverage; calls-to-action for version upgrade. No public PoC or in-the-wild exploitation reported; discussion remains vendor-advisory driven.
RISK: HIGH — Deserialization RCE in widely-deployed ML framework; vendor patch available; no KEV yet.
Description
NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVSS 3.1 breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Local
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High