SB2026051925 - Multiple vulnerabilities in NVIDIA NeMo Framework
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2025-33204)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and modify data.
The vulnerability exists due to code injection in the NLP and LLM components when processing malicious data created by an attacker. A local user can supply crafted data to execute arbitrary code, escalate privileges, disclose sensitive information, and modify data.
2) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2025-33205)
CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in a predefined variable when using a predefined variable. A local user can use a predefined variable to execute arbitrary code.
User interaction is required.
Remediation
Install update from vendor's website.