CVE-2026-24164 — NVIDIA BioNeMo deserialization RCE

CVE-2026-24164 affects NVIDIA BioNeMo via deserialization of untrusted data (CWE-502). NVD currently rates the issue as 9.8 (critical) while the NVIDIA CNA vector is 8.8 (high). Because BioNeMo often handles user-provided biological/model artifacts, deployments should treat this as high-priority.

When to use it

Use this recipe when a repository uses NVIDIA BioNeMo for biological model training, inference, notebooks, pipelines, or artifact promotion and accepts datasets/checkpoints from users, tenants, partners, or automation. It is designed for source-code/deployment remediation, deserialization trust-boundary review, fixed-commit verification, model artifact provenance, and least-privilege worker hardening.

Inputs

  • BioNeMo version or git revision, presence of commit e5e58c8, Python dependency files, worker images, model/dataset artifact sources, and SBOM or generated dependency reports.
  • Source/config paths that deserialize BioNeMo data, load checkpoints, import datasets, run notebook/pipeline jobs, mount artifact caches, or expose credentials to workers.
  • Regression or deployment checks for fixed revisions, trusted artifact sources, checksum/signature validation, sandboxed workers, and rebuilt images.
  • Boundary evidence: artifact authors, shared tenant workloads, registry write access, reachable secrets, logs, image owners, and rollout owner.

Affected versions

  • Vulnerable: BioNeMo branches/versions that do not include commit e5e58c8
  • Fixed: any BioNeMo branch that includes commit e5e58c8 (or a later release containing that patch)

Indicator-of-exposure

  • BioNeMo is present in runtime or build tooling.
  • Workflows deserialize external datasets/model artifacts/checkpoints.
  • Platform is reachable by untrusted users or shared tenant workloads.

Quick checks:

python -m pip show bionemo || true
git log --oneline --decorate -n 200 | rg e5e58c8 || true
rg -n "pickle|torch\.load|yaml\.load|deserialize|bionemo" .

Remediation strategy

  • Move to a BioNeMo revision that includes e5e58c8.
  • Ensure loading paths reject or sandbox untrusted serialized content.
  • Restrict pipeline credentials and isolate workers handling imported artifacts.
  • Rebuild artifacts/images after patching.

The prompt

You are remediating CVE-2026-24164 (NVIDIA BioNeMo deserialization RCE).
Produce exactly one output:

1. A reviewer-ready PR with minimal safe remediation, or
2. TRIAGE.md if no safe patch path exists.

## Rules

- Scope only CVE-2026-24164.
- Prefer applying/consuming the upstream fix commit `e5e58c8`.
- Keep changes minimal and deterministic.
- Do not auto-merge.

## Steps

1. Locate BioNeMo dependency source (pip, git submodule, vendored source,
   container image).
2. Verify whether commit `e5e58c8` is already present.
3. If missing, update version/ref to include it and regenerate lockfiles/images.
4. Add one control where deserialization occurs:
   - trusted-source allow-list,
   - explicit validation gate,
   - or sandboxing/least-privilege execution note.
5. Run tests/build checks.
6. Output PR title:
   `fix(sec): remediate CVE-2026-24164 in nvidia bionemo`.

## Stop conditions

- Upstream patch cannot be consumed without unsafe major migration.
- BioNeMo is not present in this repository/runtime.
- Build/test failures are pre-existing and unrelated.

Verification — what the reviewer looks for

Output contract

  • A reviewer-ready PR or change request that moves BioNeMo to a fixed revision, refreshes dependency/image artifacts, fences untrusted artifact ingestion, and documents credential/operator review.

  • Or a TRIAGE.md file that lists inspected dependencies/images/load paths, owner, observed revision, artifact trust boundary, required fix, and residual risk.

  • The output must include exact validation commands and must not deserialize untrusted biological/model artifacts, expose secrets, or execute payloads.

  • Dependency ref/release includes commit e5e58c8 or newer fixed release.

  • No vulnerable BioNeMo revision remains in lockfiles/images.

  • PR documents one concrete control for untrusted deserialization paths.

Watch for

  • Pinning a patched git ref in one manifest while container build scripts still clone the older BioNeMo branch.
  • Assuming a release is fixed without verifying it contains e5e58c8 or an equivalent vendor patch.
  • Leaving shared research workspaces able to load arbitrary serialized model artifacts with broad cloud or filesystem credentials.
  • Validation that proves exposure by opening untrusted biological/model artifacts instead of checking refs, versions, and provenance controls.

References