CVE-2026-24159 — NVIDIA NeMo deserialization RCE

CVE-2026-24159 is a NeMo Framework deserialization flaw (CWE-502) that can allow code execution when untrusted model/checkpoint content is processed. NVD currently scores this CVE as 9.8 (critical), while NVIDIA’s CNA score is 7.8 (high). Treat internet-reachable or shared training/inference pipelines as urgent remediation targets.

When to use it

Use this recipe when a repository trains, serves, evaluates, or packages models with NVIDIA NeMo and accepts checkpoints, model artifacts, datasets, notebooks, or registry entries from users, tenants, partners, or automation. It is designed for source-code/deployment remediation, unsafe deserialization review, model artifact provenance, least-privilege worker hardening, and evidence that untrusted artifacts cannot reach torch.load, pickle, or checkpoint restore paths.

Inputs

  • NeMo version, Python dependency files, lockfiles, training/inference images, model registry/bucket configuration, checkpoint restore paths, and SBOM or generated dependency reports.
  • Source/config paths that load NeMo checkpoints, run training/inference jobs, import notebooks, promote model artifacts, mount shared buckets, or grant cloud/model-provider credentials.
  • Regression or deployment checks for patched versions, trusted artifact sources, checksum/signature validation, disabled untrusted restores, and least-privilege workers.
  • Boundary evidence: model authors, registry write access, tenant/shared workload exposure, reachable secrets, logs, image owners, and rollout owner.

Affected versions

  • Vulnerable: nemo versions earlier than 2.6.2
  • Fixed: nemo>=2.6.2

Indicator-of-exposure

  • NeMo is installed at a vulnerable version.
  • The environment ingests untrusted checkpoints/artifacts/datasets.
  • Jobs run with broad file-system or cloud credentials.

Quick checks:

python -m pip show nemo-toolkit || python -m pip show nemo
python - <<'PY'
import importlib
for name in ("nemo", "nemo_toolkit"):
    try:
        m = importlib.import_module(name)
        print(name, getattr(m, "__version__", "unknown"))
    except Exception:
        pass
PY
rg -n "torch\.load|pickle|checkpoint|nemo" .

Remediation strategy

  • Upgrade NeMo to 2.6.2 or later.
  • Do not deserialize untrusted checkpoint/model files.
  • Require provenance controls (trusted registry/bucket, checksums/signatures).
  • Run NeMo jobs with least-privilege IAM and restricted network egress.

The prompt

You are remediating CVE-2026-24159 (NVIDIA NeMo deserialization RCE). Produce
exactly one output:

1. A reviewer-ready PR with code/config/docs updates, or
2. TRIAGE.md if no safe patch path exists.

## Rules

- Stay strictly in CVE-2026-24159 scope.
- Prefer the smallest safe upgrade path to `nemo>=2.6.2`.
- Assume model/checkpoint artifacts are untrusted unless proven otherwise.
- Do not auto-merge.

## Steps

1. Detect NeMo usage in manifests, lockfiles, images, and runtime scripts.
2. If NeMo absent or already fixed, create a brief triage note and stop.
3. Upgrade NeMo dependency pins and regenerate lockfiles.
4. Add one hardening update near NeMo load paths (or ops docs):
   - enforce trusted artifact sources,
   - require checksum/signature validation,
   - document least-privilege execution requirements.
5. Run tests/build checks.
6. Output PR title:
   `fix(sec): remediate CVE-2026-24159 in nvidia nemo`.

## Stop conditions

- Upgrade causes unsupported framework/API break without safe short path.
- Dependency manager/lockfile process is missing and cannot be made
  deterministic in this repo.
- Failures are unrelated pre-existing issues.

Verification — what the reviewer looks for

Output contract

  • A reviewer-ready PR or change request that upgrades NeMo, refreshes dependency/image artifacts, fences untrusted model ingestion, documents artifact provenance controls, and records secret/operator review.

  • Or a TRIAGE.md file that lists inspected dependencies/images/load paths, owner, observed version, model-artifact trust boundary, required fix, and residual risk.

  • The output must include exact validation commands and must not deserialize untrusted checkpoints, expose model/provider secrets, or execute exploit payloads.

  • Manifest/lockfile/image now resolves to nemo>=2.6.2.

  • No vulnerable NeMo versions remain in dependency inventory.

  • PR includes one concrete control for untrusted artifact ingestion.

Watch for

  • Updating a notebook image while training, batch, or inference images still install an affected NeMo build.
  • Allowing torch.load, pickle, or checkpoint restore paths to continue accepting user-supplied artifacts from shared buckets.
  • Treating internal model registries as trusted when write access is available to low-privilege users or automation.
  • Regression tests that deserialize untrusted sample payloads instead of using safe provenance and version checks.

References