What is the CVSS score of CVE-2026-24159?

CVE-2026-24159 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Nvidia are affected by CVE-2026-24159?

NVIDIA NeMo Framework installations face a HIGH severity vulnerability (CVE-2026-24159) allowing authenticated attackers to execute arbitrary code with total technical impact.. A patch is available.

How to fix or mitigate CVE-2026-24159?

Within 24 hours: Inventory all systems running NVIDIA NeMo Framework and restrict access to authenticated users only. Within 7 days: Implement network segmentation to isolate NeMo deployments and disable unnecessary deserialization features if possible. Within 30 days: Monitor NVIDIA security advisories for patch availability and establish a deployment plan; evaluate alternative frameworks if patch timeline extends beyond acceptable risk tolerance.

Nvidia CVE-2026-24159

EUVD-2026-15015 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-24 nvidia

GHSA-v7v2-m736-cf3c

RCE Information Disclosure Nvidia Deserialization

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 02, 2026 - 14:30 nvd

Patch available

EUVD ID Assigned

Mar 24, 2026 - 20:31 euvd

EUVD-2026-15015

Analysis Generated

Mar 24, 2026 - 20:31 vuln.today

CVE Published

Mar 24, 2026 - 20:27 nvd

HIGH 7.8

DescriptionCVE.org

NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

AnalysisAI

NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain local access to system

Exploit

Upload malicious serialized Python object

Execution

NeMo Framework deserializes untrusted data

Impact

Execute arbitrary code with framework privileges

Access

Obtain local access to system

Exploit

Upload malicious serialized Python object

Execution

NeMo Framework deserializes untrusted data

Impact

Execute arbitrary code with framework privileges

Vulnerability AssessmentAI

Exploitation	Requires local access to the target system running NVIDIA NeMo Framework. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS score of 7.8 (High) reflects significant impact across confidentiality, integrity, and availability (all rated High), but the attack vector is Local (AV:L) requiring low privileges (PR:L) and low attack complexity (AC:L) with no user interaction needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has gained initial local access to a system running NVIDIA NeMo Framework (through compromised credentials, social engineering, or exploitation of another vulnerability) crafts a malicious serialized object containing executable code. When the NeMo Framework deserializes this object during normal operations or model processing, the embedded payload executes with the privileges of the NeMo process, allowing the attacker to escalate privileges, access sensitive AI training data or model weights, tamper with model outputs, or establish persistent access to the system.
Remediation	Consult NVIDIA's official security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5800 for specific patch versions and upgrade instructions for NeMo Framework. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running NVIDIA NeMo Framework and restrict access to authenticated users only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55447 CRITICAL Act Now

9.6 Jun 19

Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses Base

CVE-2026-53805 CRITICAL Act Now

9.3 Jun 17

Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network att

CVE-2026-24155 HIGH This Week

7.8 Jun 16

Code injection in NVIDIA NeMo Framework across all supported platforms allows a local attacker with low privileges to ex

CVE-2026-24228 HIGH This Week

7.8 Jun 16

Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe d

CVE-2026-24159 vulnerability details – vuln.today

Back

Nvidia CVE-2026-24159

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code