The June security update covers NeMo Framework versions from 0.0 through 2.7.2, with users advised to move to version 2.7.3 or later. The flaws are tracked as CVE-2026-24155, CVE-2026-24252 and CVE-2026-24228, each carrying a CVSS v3.1 base score of 7.8, placing them in the high-severity category. The bulletin marks the issue as important for all platforms, while two of the three weaknesses specifically affect Linux deployments.
The most operationally sensitive of the three is CVE-2026-24252, an OS command-injection weakness in NeMo for Linux. Such flaws matter because they can allow an attacker to pass crafted input to an application in a way that triggers unintended system commands. In shared AI infrastructure, where researchers, engineers and automated workloads may use the same GPU servers, a local low-privileged foothold can become a route to broader compromise.
CVE-2026-24155 is a code-injection vulnerability affecting NeMo Framework across all platforms. A successful exploit could lead to code execution, privilege escalation, information disclosure and data tampering. CVE-2026-24228 affects NeMo Framework on Linux and involves deserialisation of untrusted data, a class of vulnerability that has long been considered dangerous in machine-learning and software supply-chain environments because model files, checkpoints and intermediate artefacts often move between systems and teams.
NVIDIA credited Moomi Chen with reporting CVE-2026-24155 and CVE-2026-24252, while CVE-2026-24228 was credited to Tyler Zars working with Trend Micro’s Zero Day Initiative. The company’s update directs users to obtain the fixed version from the official NeMo repository and evaluate risk in line with their own configuration, reflecting the varied ways in which the framework is used across enterprise, academic and cloud environments.
NeMo is a widely used open-source framework for building, customising and deploying generative AI models. It supports work on large language models, multimodal systems, speech recognition, text-to-speech and other AI workloads. Its role in training and fine-tuning pipelines makes flaws in the framework more significant than ordinary application bugs, because AI development environments often hold model weights, training data, proprietary prompts, credentials, experiment logs and access to expensive compute resources.
The vulnerabilities arrive as organisations are moving from experimental AI deployments to production systems. That shift has increased scrutiny of model-development tooling, not only the models themselves. Security teams are focusing more closely on the software layers around AI pipelines, including Python packages, model checkpoints, dataset-processing scripts, notebook environments, orchestration systems and inference servers. NeMo sits within that broader risk landscape, where a weakness in development tooling can affect downstream production systems if compromised code or artefacts are promoted through a pipeline.
The attack requirements in the advisory indicate local access, low privileges and no user interaction. That profile does not describe an internet-wide remote bug, but it remains serious in multi-user and containerised AI environments. Many organisations consolidate training workloads on central GPU clusters, where a compromised user account, vulnerable notebook, exposed development container or poisoned internal workload could provide the access needed to attempt exploitation.
Security teams are expected to prioritise patching systems that run NeMo on shared Linux hosts, research clusters, model-training platforms and environments where untrusted or externally sourced model artefacts are handled. The fixed version also matters for teams that build custom containers around NeMo, since updating the source repository alone may not protect running workloads unless base images, dependency locks and deployment pipelines are rebuilt.
The disclosure follows a pattern of rising attention to AI framework security. Earlier vulnerabilities affecting model-loading, checkpoint handling and deserialisation across AI libraries showed how development tools can become an entry point for code execution. The NeMo bulletin reinforces a central lesson for enterprises adopting generative AI: model governance is incomplete without conventional software security controls, including dependency tracking, least-privilege access, code review, container isolation and rapid patch management.
For NVIDIA, the update comes at a time when its AI software stack is becoming more central to enterprise adoption of accelerated computing. The company’s hardware dominance has been matched by a growing set of frameworks, libraries and model tools designed to make AI development easier across cloud, on-premises and hybrid infrastructure. That broader software footprint also expands the security responsibilities around developer tooling.
Organisations running NeMo should identify affected installations, confirm whether versions up to 2.7.2 are present, update to 2.7.3 or later, rebuild dependent containers and review access controls on shared AI infrastructure. Teams handling third-party checkpoints, plug-ins, scripts or experimental model artefacts should apply additional caution, particularly where Linux-based training systems are shared across projects.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
