{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24164", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:30.918Z", "datePublished": "2026-03-31T16:24:03.705Z", "dateUpdated": "2026-03-31T17:06:08.146Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-31T16:24:03.705Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, denial of service, information disclosure, data tampering"}]}], "affected": [{"vendor": "NVIDIA", "product": "BioNeMo Framework", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "All versions that do not include commit f2c2b14"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24164"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24164"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5808"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:04:20.477706Z", "id": "CVE-2026-24164", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:06:08.146Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T17:04:20.477706Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:05:31.013Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, denial of service, information disclosure, data tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "BioNeMo Framework", "versions": [{"status": "affected", "version": "All versions that do not include commit f2c2b14"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24164"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24164"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5808"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-31T16:24:03.705Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24164", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:06:08.146Z", "dateReserved": "2026-01-21T19:09:30.918Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-31T16:24:03.705Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:bionemo_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "90340610-6E7B-476C-9B62-089FCFF48E3A", "versionEndExcluding": "2026-01-21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering."}], "id": "CVE-2026-24164", "lastModified": "2026-04-03T19:00:49.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T17:16:30.937", "references": [{"source": "psirt@nvidia.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24164"}, {"source": "psirt@nvidia.com", "tags": ["Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5808"}, {"source": "psirt@nvidia.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-24164"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["Linux"], "status": "affected", "versions": {"scheme": "generic", "value": "All versions that do not include commit f2c2b14"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "bionemo_framework", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-04-03T21:26:36.683537+00:00", "value": {"mitigation_remediation": ["Check NVIDIA\u2019s official advisories for an available patch and apply the latest update to BioNeMo Framework", "If a patch is not yet available, restrict the framework from deserializing data that originates from untrusted or external sources", "Review and update any endpoints that accept externally supplied data to enforce strict validation and encoding", "Monitor system logs for anomalous deserialization activity and investigate any suspicious requests", "Apply general hardening measures, such as limiting network exposure of the framework and enforcing least privilege on the execution environment"], "summary": {"action": "Patch Immediately", "impact": "Potential code execution, denial of service, information disclosure, and data tampering via deserialization of untrusted data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the NVIDIA BioNeMo Framework; version information is not specified, so all deployed instances of this product are considered at risk.", "description_and_impact": "NVIDIA BioNeMo Framework has a deserialization flaw that allows an attacker to supply malicious data that the software will process during deserialization. This weakness can enable the attacker to execute arbitrary code on the system, crash the application, leak sensitive information, or modify data stored by the framework.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity and reflects the destructive impact of a successful exploit. The EPSS score of less than 1 per cent suggests a low likelihood of widespread exploitation so far, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, because the flaw involves deserialization of untrusted data, an attacker who can influence the data stream\u2014either locally or remotely if the framework exposes endpoints\u2014may be able to trigger the vulnerability. The attack requires the attacker to provide crafted input, which is feasible if the application accepts data from external sources or if an insider can inject payloads."}}}}, "created": "2026-03-31T19:53:56.846573+00:00", "updated": "2026-04-07T08:07:54.814083+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$bionemo_framework"]}