CVE-2026-24159 — NVIDIA NeMo deserialization RCE
CVE-2026-24159 is a NeMo Framework deserialization flaw (CWE-502) that can allow code execution when untrusted model/checkpoint content is processed. NVD currently scores this CVE as 9.8 (critical), while NVIDIA’s CNA score is 7.8 (high). Treat internet-reachable or shared training/inference pipelines as urgent remediation targets.
When to use it
Use this recipe when a repository trains, serves, evaluates, or packages models
with NVIDIA NeMo and accepts checkpoints, model artifacts, datasets, notebooks,
or registry entries from users, tenants, partners, or automation. It is designed
for source-code/deployment remediation, unsafe deserialization review, model
artifact provenance, least-privilege worker hardening, and evidence that
untrusted artifacts cannot reach torch.load, pickle, or checkpoint restore
paths.
Inputs
- NeMo version, Python dependency files, lockfiles, training/inference images, model registry/bucket configuration, checkpoint restore paths, and SBOM or generated dependency reports.
- Source/config paths that load NeMo checkpoints, run training/inference jobs, import notebooks, promote model artifacts, mount shared buckets, or grant cloud/model-provider credentials.
- Regression or deployment checks for patched versions, trusted artifact sources, checksum/signature validation, disabled untrusted restores, and least-privilege workers.
- Boundary evidence: model authors, registry write access, tenant/shared workload exposure, reachable secrets, logs, image owners, and rollout owner.
Affected versions
- Vulnerable:
nemoversions earlier than2.6.2 - Fixed:
nemo>=2.6.2
Indicator-of-exposure
- NeMo is installed at a vulnerable version.
- The environment ingests untrusted checkpoints/artifacts/datasets.
- Jobs run with broad file-system or cloud credentials.
Quick checks:
python -m pip show nemo-toolkit || python -m pip show nemo
python - <<'PY'
import importlib
for name in ("nemo", "nemo_toolkit"):
try:
m = importlib.import_module(name)
print(name, getattr(m, "__version__", "unknown"))
except Exception:
pass
PY
rg -n "torch\.load|pickle|checkpoint|nemo" .
Remediation strategy
- Upgrade NeMo to
2.6.2or later. - Do not deserialize untrusted checkpoint/model files.
- Require provenance controls (trusted registry/bucket, checksums/signatures).
- Run NeMo jobs with least-privilege IAM and restricted network egress.
The prompt
You are remediating CVE-2026-24159 (NVIDIA NeMo deserialization RCE). Produce
exactly one output:
1. A reviewer-ready PR with code/config/docs updates, or
2. TRIAGE.md if no safe patch path exists.
## Rules
- Stay strictly in CVE-2026-24159 scope.
- Prefer the smallest safe upgrade path to `nemo>=2.6.2`.
- Assume model/checkpoint artifacts are untrusted unless proven otherwise.
- Do not auto-merge.
## Steps
1. Detect NeMo usage in manifests, lockfiles, images, and runtime scripts.
2. If NeMo absent or already fixed, create a brief triage note and stop.
3. Upgrade NeMo dependency pins and regenerate lockfiles.
4. Add one hardening update near NeMo load paths (or ops docs):
- enforce trusted artifact sources,
- require checksum/signature validation,
- document least-privilege execution requirements.
5. Run tests/build checks.
6. Output PR title:
`fix(sec): remediate CVE-2026-24159 in nvidia nemo`.
## Stop conditions
- Upgrade causes unsupported framework/API break without safe short path.
- Dependency manager/lockfile process is missing and cannot be made
deterministic in this repo.
- Failures are unrelated pre-existing issues.
Verification — what the reviewer looks for
Output contract
-
A reviewer-ready PR or change request that upgrades NeMo, refreshes dependency/image artifacts, fences untrusted model ingestion, documents artifact provenance controls, and records secret/operator review.
-
Or a
TRIAGE.mdfile that lists inspected dependencies/images/load paths, owner, observed version, model-artifact trust boundary, required fix, and residual risk. -
The output must include exact validation commands and must not deserialize untrusted checkpoints, expose model/provider secrets, or execute exploit payloads.
-
Manifest/lockfile/image now resolves to
nemo>=2.6.2. -
No vulnerable NeMo versions remain in dependency inventory.
-
PR includes one concrete control for untrusted artifact ingestion.
Watch for
- Updating a notebook image while training, batch, or inference images still install an affected NeMo build.
- Allowing
torch.load, pickle, or checkpoint restore paths to continue accepting user-supplied artifacts from shared buckets. - Treating internal model registries as trusted when write access is available to low-privilege users or automation.
- Regression tests that deserialize untrusted sample payloads instead of using safe provenance and version checks.
Related recipes
- Source code injection sink audit
- Source code supply chain build integrity audit
- Source code secrets and data exposure audit
- NIST SSDF repository evidence check
References
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-24159
- NVIDIA bulletin (NeMo): https://nvidia.custhelp.com/app/answers/detail/a_id/5800
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-24159