CVE-2026-24155: 
NixOS Schwachstellenanalyse und -minderung

CVE-2026-24155 is a code injection vulnerability (CWE-94) in the NVIDIA NeMo Framework affecting all platforms. A successful exploit may lead to arbitrary code execution, escalation of privileges, information disclosure, and data tampering. The vulnerability affects NeMo Framework versions 0.0 through 2.7.2 (all versions prior to 2.7.3) and was publicly disclosed on June 16, 2026. It carries a CVSS v3.1 base score of 7.8 (High), assigned by NVIDIA Corporation (GitHub Advisory, NVIDIA Advisory).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code — 'Code Injection'), meaning the NeMo Framework improperly neutralizes externally-influenced input that is used to construct code segments, allowing an attacker to modify the behavior of the intended code. The attack vector is local, requiring low privileges and no user interaction, indicating that a local user with standard system access can trigger the vulnerability without any additional conditions. No detailed technical write-up or public proof-of-concept code has been identified at this time (GitHub Advisory, NVIDIA Advisory).

Successful exploitation of CVE-2026-24155 results in high impact across all three security dimensions: confidentiality, integrity, and availability. A local attacker can execute arbitrary code with the privileges of the NeMo Framework process, escalate their privileges on the affected system, access sensitive information processed by the framework (such as AI model data or training datasets), and tamper with data. Given NeMo's role as an AI/ML infrastructure framework, exploitation could compromise AI pipelines and associated data assets (NVIDIA Advisory, GitHub Advisory).

NVIDIA has released NeMo Framework version 2.7.3 as the patched release, which addresses this vulnerability. Organizations should upgrade all NeMo Framework deployments from any version in the 0.0–2.7.2 range to version 2.7.3 or later. As interim measures, administrators should restrict local system access to NeMo Framework processes, apply the principle of least privilege to accounts interacting with NeMo, and monitor for anomalous code execution or privilege escalation activity (NVIDIA Advisory, GitHub Advisory).

Coverage of CVE-2026-24155 appeared across multiple security news outlets shortly after disclosure, including GBHackers, SecurityOnline, CyberPress, and UnderCodeNews, which highlighted the risk to AI infrastructure. Social media activity was observed on Mastodon (infosec.exchange) and Bluesky, with automated CVE tracking accounts flagging the vulnerability. One outlet (letsdatascience.com) specifically characterized it as a 'command injection vulnerability,' and coverage noted it was part of a broader set of NeMo security fixes (GBHackers, SecurityOnline, UnderCodeNews).