SB2026051924 - Two vulnerabilities in NVIDIA NeMo Framework



SB2026051924 - Two vulnerabilities in NVIDIA NeMo Framework

Published: May 19, 2026

Security Bulletin ID SB2026051924
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Code Injection (CVE-ID: CVE-2025-23361)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.

The vulnerability exists due to improper control of code generation in a script when processing malicious input. A local user can provide malicious input to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.


2) Code Injection (CVE-ID: CVE-2025-33178)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.

The vulnerability exists due to code injection in the bert services component when processing malicious data. A local user can provide malicious data to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.


Remediation

Install update from vendor's website.