CVE-2026-24164 — NVIDIA BioNeMo deserialization RCE
CVE-2026-24164 affects NVIDIA BioNeMo via deserialization of untrusted data (CWE-502). NVD currently rates the issue as 9.8 (critical) while the NVIDIA CNA vector is 8.8 (high). Because BioNeMo often handles user-provided biological/model artifacts, deployments should treat this as high-priority.
When to use it
Use this recipe when a repository uses NVIDIA BioNeMo for biological model training, inference, notebooks, pipelines, or artifact promotion and accepts datasets/checkpoints from users, tenants, partners, or automation. It is designed for source-code/deployment remediation, deserialization trust-boundary review, fixed-commit verification, model artifact provenance, and least-privilege worker hardening.
Inputs
- BioNeMo version or git revision, presence of commit
e5e58c8, Python dependency files, worker images, model/dataset artifact sources, and SBOM or generated dependency reports. - Source/config paths that deserialize BioNeMo data, load checkpoints, import datasets, run notebook/pipeline jobs, mount artifact caches, or expose credentials to workers.
- Regression or deployment checks for fixed revisions, trusted artifact sources, checksum/signature validation, sandboxed workers, and rebuilt images.
- Boundary evidence: artifact authors, shared tenant workloads, registry write access, reachable secrets, logs, image owners, and rollout owner.
Affected versions
- Vulnerable: BioNeMo branches/versions that do not include commit
e5e58c8 - Fixed: any BioNeMo branch that includes commit
e5e58c8(or a later release containing that patch)
Indicator-of-exposure
- BioNeMo is present in runtime or build tooling.
- Workflows deserialize external datasets/model artifacts/checkpoints.
- Platform is reachable by untrusted users or shared tenant workloads.
Quick checks:
python -m pip show bionemo || true
git log --oneline --decorate -n 200 | rg e5e58c8 || true
rg -n "pickle|torch\.load|yaml\.load|deserialize|bionemo" .
Remediation strategy
- Move to a BioNeMo revision that includes
e5e58c8. - Ensure loading paths reject or sandbox untrusted serialized content.
- Restrict pipeline credentials and isolate workers handling imported artifacts.
- Rebuild artifacts/images after patching.
The prompt
You are remediating CVE-2026-24164 (NVIDIA BioNeMo deserialization RCE).
Produce exactly one output:
1. A reviewer-ready PR with minimal safe remediation, or
2. TRIAGE.md if no safe patch path exists.
## Rules
- Scope only CVE-2026-24164.
- Prefer applying/consuming the upstream fix commit `e5e58c8`.
- Keep changes minimal and deterministic.
- Do not auto-merge.
## Steps
1. Locate BioNeMo dependency source (pip, git submodule, vendored source,
container image).
2. Verify whether commit `e5e58c8` is already present.
3. If missing, update version/ref to include it and regenerate lockfiles/images.
4. Add one control where deserialization occurs:
- trusted-source allow-list,
- explicit validation gate,
- or sandboxing/least-privilege execution note.
5. Run tests/build checks.
6. Output PR title:
`fix(sec): remediate CVE-2026-24164 in nvidia bionemo`.
## Stop conditions
- Upstream patch cannot be consumed without unsafe major migration.
- BioNeMo is not present in this repository/runtime.
- Build/test failures are pre-existing and unrelated.
Verification — what the reviewer looks for
Output contract
-
A reviewer-ready PR or change request that moves BioNeMo to a fixed revision, refreshes dependency/image artifacts, fences untrusted artifact ingestion, and documents credential/operator review.
-
Or a
TRIAGE.mdfile that lists inspected dependencies/images/load paths, owner, observed revision, artifact trust boundary, required fix, and residual risk. -
The output must include exact validation commands and must not deserialize untrusted biological/model artifacts, expose secrets, or execute payloads.
-
Dependency ref/release includes commit
e5e58c8or newer fixed release. -
No vulnerable BioNeMo revision remains in lockfiles/images.
-
PR documents one concrete control for untrusted deserialization paths.
Watch for
- Pinning a patched git ref in one manifest while container build scripts still clone the older BioNeMo branch.
- Assuming a release is fixed without verifying it contains
e5e58c8or an equivalent vendor patch. - Leaving shared research workspaces able to load arbitrary serialized model artifacts with broad cloud or filesystem credentials.
- Validation that proves exposure by opening untrusted biological/model artifacts instead of checking refs, versions, and provenance controls.
Related recipes
- Source code injection sink audit
- Source code supply chain build integrity audit
- Source code secrets and data exposure audit
- NIST SSDF repository evidence check
References
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-24164
- NVIDIA bulletin (BioNeMo): https://nvidia.custhelp.com/app/answers/detail/a_id/5808
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-24164