SB2026051927 - Multiple vulnerabilities in NVIDIA NeMo Framework (February 2026)
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33245)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in NeMo Framework when processing malicious data. A remote user can supply malicious data to execute arbitrary code.
User interaction is required.
2) Code Injection (CVE-ID: CVE-2025-33236)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to code injection in NeMo Framework when processing malicious data created by an attacker. A local user can provide malicious data to execute arbitrary code.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33241)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in NeMo Framework when loading a maliciously crafted file. A local user can load a maliciously crafted file to execute arbitrary code.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33243)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in NeMo Framework when operating in distributed environments. A local user can exploit the issue in distributed environments to execute arbitrary code.
Only distributed environments are affected.
5) Command injection (CVE-ID: CVE-2025-33246)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to command injection in the ASR Evaluator utility when supplying crafted input to a configuration parameter. A local user can supply crafted input to a configuration parameter to execute arbitrary code.
6) Command injection (CVE-ID: CVE-2025-33249)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to command injection in a voice-preprocessing script when processing malicious input created by an attacker. A local user can provide malicious input to execute arbitrary code.
7) Code Injection (CVE-ID: CVE-2025-33250)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to code injection in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.
8) Code Injection (CVE-ID: CVE-2025-33251)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to code injection in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33252)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33253)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in NeMo Framework when loading a maliciously crafted file. A local user can load a maliciously crafted file to execute arbitrary code.
Remediation
Install update from vendor's website.