{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24157", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:29.851Z", "datePublished": "2026-03-24T20:27:15.173Z", "dateUpdated": "2026-03-25T03:56:16.911Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:27:15.173Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, information disclosure, data tampering"}]}], "affected": [{"vendor": "NVIDIA", "product": "NeMo Framework", "platforms": ["All Platforms"], "versions": [{"status": "affected", "version": "All versions prior to 2.6.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-24157"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:56:16.911Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T20:51:59.199367Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:53:26.652Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, information disclosure, data tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "NeMo Framework", "versions": [{"status": "affected", "version": "All versions prior to 2.6.2"}], "platforms": ["All Platforms"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:27:15.173Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24157", "state": "PUBLISHED", "dateUpdated": "2026-03-24T20:55:26.218Z", "dateReserved": "2026-01-21T19:09:29.851Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-24T20:27:15.173Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A84F776-6444-4FF9-AE88-EC0B4045B9A9", "versionEndExcluding": "2.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering."}, {"lang": "es", "value": "NVIDIA NeMo Framework contiene una vulnerabilidad en la carga de puntos de control donde un atacante podr\u00eda causar ejecuci\u00f3n remota de c\u00f3digo. Un exploit exitoso de esta vulnerabilidad podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo, escalada de privilegios, revelaci\u00f3n de informaci\u00f3n y manipulaci\u00f3n de datos."}], "id": "CVE-2026-24157", "lastModified": "2026-03-31T01:29:58.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-03-24T21:16:27.823", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all_platforms"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NeMo Framework", "source": "cna", "vendor": "NVIDIA"}, "product": "nemo_framework", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-03-24T21:20:59.860618+00:00", "value": {"mitigation_remediation": ["Apply the latest NVIDIA NeMo Framework patch or upgrade to a version that addresses the checkpoint loading issue.", "If an immediate patch is unavailable, restrict the ability to load external checkpoints to trusted users or directories and audit checkpoint files for integrity.", "Report any exploitation activity to NVIDIA support and monitor the system for unauthorized code execution or privilege changes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected party is the NVIDIA NeMo Framework. Vendor and product details are available, but specific product versions are not disclosed in the provided data; administrators should verify which NeMo releases are susceptible.", "description_and_impact": "The vulnerability in NVIDIA NeMo Framework occurs during checkpoint loading, enabling an attacker to execute arbitrary code on the system. This flaw, identified as CWE\u2011502, can also permit privilege escalation, unauthorized information disclosure, and data tampering, impacting confidentiality, integrity, and availability of the affected environment.", "risk_and_exploitability": "The CVSS score of 7.8 classifies this flaw as high severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting moderate publicly available exploitation evidence. Based on the description, the likely attack vector is the upload or loading of a malicious checkpoint file by an adversary with access to the NeMo environment; however, the exact prerequisites are not fully defined in the source material."}}}}, "created": "2026-03-25T11:45:53.244159+00:00", "title": "Remote Code Execution in NVIDIA NeMo Framework Checkpoint Loading", "updated": "2026-03-25T20:57:19.046433+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$nemo_framework"]}