{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24157", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:29.851Z", "datePublished": "2026-03-24T20:27:15.173Z", "dateUpdated": "2026-03-25T03:56:16.911Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:27:15.173Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, information disclosure, data tampering"}]}], "affected": [{"vendor": "NVIDIA", "product": "NeMo Framework", "platforms": ["All Platforms"], "versions": [{"status": "affected", "version": "All versions prior to 2.6.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-24157"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:56:16.911Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T20:51:59.199367Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:53:26.652Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, information disclosure, data tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "NeMo Framework", "versions": [{"status": "affected", "version": "All versions prior to 2.6.2"}], "platforms": ["All Platforms"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-24T20:27:15.173Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24157", "state": "PUBLISHED", "dateUpdated": "2026-03-24T20:55:26.218Z", "dateReserved": "2026-01-21T19:09:29.851Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-24T20:27:15.173Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A84F776-6444-4FF9-AE88-EC0B4045B9A9", "versionEndExcluding": "2.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering."}, {"lang": "es", "value": "NVIDIA NeMo Framework contiene una vulnerabilidad en la carga de puntos de control donde un atacante podr\u00eda causar ejecuci\u00f3n remota de c\u00f3digo. Un exploit exitoso de esta vulnerabilidad podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo, escalada de privilegios, revelaci\u00f3n de informaci\u00f3n y manipulaci\u00f3n de datos."}], "id": "CVE-2026-24157", "lastModified": "2026-03-31T01:29:58.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T21:16:27.823", "references": [{"source": "psirt@nvidia.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24157"}, {"source": "psirt@nvidia.com", "tags": ["Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5800"}, {"source": "psirt@nvidia.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-24157"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all_platforms"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NeMo Framework", "source": "cna", "vendor": "NVIDIA"}, "product": "nemo_framework", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-03-31T05:48:24.129338+00:00", "value": {"mitigation_remediation": ["Verify if an update or patch for NeMo Framework has been released by NVIDIA to address the checkpoint loading vulnerability. If available, download and deploy the patch immediately.", "Until a patch is applied, restrict file system permissions on the directories used for storing checkpoint files so that only trusted applications or users may write them.", "Disable the checkpoint loading feature if it is not required for your deployment.", "Enable detailed logging for all checkpoint load operations and monitor for anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is NVIDIA NeMo Framework. All builds that include the checkpoint loading feature are potentially impacted, as the CVE description does not narrow the scope to a specific version. Because version details are not supplied, administrators should assume that any deployment of NeMo Framework that loads checkpoints may be vulnerable until an update is applied.", "description_and_impact": "The vulnerability resides in the NeMo Framework\u2019s checkpoint loading functionality, where deserialization of a checkpoint file is performed without proper validation. This flaw constitutes a deserialization vulnerability (CWE-502) that can allow an attacker to inject executable code and trigger remote code execution. Successful exploitation could lead to full system compromise, privilege escalation, information disclosure, and data tampering as indicated by the vendor\u2019s description.", "risk_and_exploitability": "The CVSS base score of 7.8 classifies this issue as High severity, while the EPSS score of less than 1% suggests a low prevalence of exploitation in the wild, and the vulnerability is not currently listed in CISA\u2019s KEV catalogue. Exploitation would likely require a malicious checkpoint file to be fed into the application, either directly by an attacker with write access to the checkpoint directory or via a remote loading interface if exposed. The attack is therefore inferred to be remote, contingent on the exposure of the checkpoint loading mechanism."}}}}, "created": "2026-03-25T11:45:53.244159+00:00", "updated": "2026-03-31T20:09:20.058419+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$nemo_framework"]}