SB2026051925 - Multiple vulnerabilities in NVIDIA NeMo Framework



SB2026051925 - Multiple vulnerabilities in NVIDIA NeMo Framework

Published: May 19, 2026

Security Bulletin ID SB2026051925
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Code Injection (CVE-ID: CVE-2025-33204)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and modify data.

The vulnerability exists due to code injection in the NLP and LLM components when processing malicious data created by an attacker. A local user can supply crafted data to execute arbitrary code, escalate privileges, disclose sensitive information, and modify data.


2) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2025-33205)

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to inclusion of functionality from an untrusted control sphere in a predefined variable when using a predefined variable. A local user can use a predefined variable to execute arbitrary code.

User interaction is required.


Remediation

Install update from vendor's website.