CVE-2026-24159

High

Published: 24 March 2026

Published

24 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 29.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization vulnerability in NVIDIA NeMo Framework by requiring timely patching and updates as per vendor advisories.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of CWE-502 by validating untrusted data inputs prior to deserialization in the framework.

SI-16 Memory Protection good match

prevent

Mitigates remote code execution from deserialization flaws through memory protections like ASLR and DEP.

Security SummaryAI

CVE-2026-24159 is a vulnerability in the NVIDIA NeMo Framework that enables an attacker to cause remote code execution. A successful exploit might lead to code execution, escalation of privileges, information disclosure, and data tampering. The issue has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-502, which involves deserialization of untrusted data.

Exploitation requires local access, low attack complexity, and low privileges, with no user interaction needed. A local attacker meeting these conditions can achieve high impacts across confidentiality, integrity, and availability, potentially resulting in the described outcomes of code execution, privilege escalation, information disclosure, and data tampering.

Mitigation guidance is provided in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5800, the NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2026-24159, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24159.

Details

CWE(s): CWE-502

Affected Products

nvidia

nemo

≤ 2.6.2

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables local low-privileged remote code execution leading to privilege escalation via deserialization (CWE-502), directly mapping to Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24159
Third Party Advisory, US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5800
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2026-24159
Third Party Advisory · psirt@nvidia.com