CVE-2026-24159 — NVIDIA NeMo deserialization RCE

CVE-2026-24159 is a NeMo Framework deserialization flaw (CWE-502) that can allow code execution when untrusted model/checkpoint content is processed. NVD currently scores this CVE as 9.8 (critical), while NVIDIA’s CNA score is 7.8 (high). Treat internet-reachable or shared training/inference pipelines as urgent remediation targets.

Affected versions

Vulnerable: nemo versions earlier than 2.6.2
Fixed: nemo>=2.6.2

Indicator-of-exposure

NeMo is installed at a vulnerable version.
The environment ingests untrusted checkpoints/artifacts/datasets.
Jobs run with broad file-system or cloud credentials.

Quick checks:

python -m pip show nemo-toolkit || python -m pip show nemo
python - <<'PY'
import importlib
for name in ("nemo", "nemo_toolkit"):
    try:
        m = importlib.import_module(name)
        print(name, getattr(m, "__version__", "unknown"))
    except Exception:
        pass
PY
rg -n "torch\.load|pickle|checkpoint|nemo" .

Remediation strategy

Upgrade NeMo to 2.6.2 or later.
Do not deserialize untrusted checkpoint/model files.
Require provenance controls (trusted registry/bucket, checksums/signatures).
Run NeMo jobs with least-privilege IAM and restricted network egress.

The prompt

You are remediating CVE-2026-24159 (NVIDIA NeMo deserialization RCE). Produce
exactly one output:

1. A reviewer-ready PR with code/config/docs updates, or
2. TRIAGE.md if no safe patch path exists.

## Rules

- Stay strictly in CVE-2026-24159 scope.
- Prefer the smallest safe upgrade path to `nemo>=2.6.2`.
- Assume model/checkpoint artifacts are untrusted unless proven otherwise.
- Do not auto-merge.

## Steps

1. Detect NeMo usage in manifests, lockfiles, images, and runtime scripts.
2. If NeMo absent or already fixed, create a brief triage note and stop.
3. Upgrade NeMo dependency pins and regenerate lockfiles.
4. Add one hardening update near NeMo load paths (or ops docs):
   - enforce trusted artifact sources,
   - require checksum/signature validation,
   - document least-privilege execution requirements.
5. Run tests/build checks.
6. Output PR title:
   `fix(sec): remediate CVE-2026-24159 in nvidia nemo`.

## Stop conditions

- Upgrade causes unsupported framework/API break without safe short path.
- Dependency manager/lockfile process is missing and cannot be made
  deterministic in this repo.
- Failures are unrelated pre-existing issues.

Verification — what the reviewer looks for

Manifest/lockfile/image now resolves to nemo>=2.6.2.
No vulnerable NeMo versions remain in dependency inventory.
PR includes one concrete control for untrusted artifact ingestion.

References

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-24159
NVIDIA bulletin (NeMo): https://nvidia.custhelp.com/app/answers/detail/a_id/5800
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-24159