SB2026051927 - Multiple vulnerabilities in NVIDIA NeMo Framework (February 2026)



SB2026051927 - Multiple vulnerabilities in NVIDIA NeMo Framework (February 2026)

Published: May 19, 2026

Security Bulletin ID SB2026051927
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 30% Low 70%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33245)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in NeMo Framework when processing malicious data. A remote user can supply malicious data to execute arbitrary code.

User interaction is required.


2) Code Injection (CVE-ID: CVE-2025-33236)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to code injection in NeMo Framework when processing malicious data created by an attacker. A local user can provide malicious data to execute arbitrary code.


3) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33241)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in NeMo Framework when loading a maliciously crafted file. A local user can load a maliciously crafted file to execute arbitrary code.


4) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33243)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in NeMo Framework when operating in distributed environments. A local user can exploit the issue in distributed environments to execute arbitrary code.

Only distributed environments are affected.


5) Command injection (CVE-ID: CVE-2025-33246)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to command injection in the ASR Evaluator utility when supplying crafted input to a configuration parameter. A local user can supply crafted input to a configuration parameter to execute arbitrary code.


6) Command injection (CVE-ID: CVE-2025-33249)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to command injection in a voice-preprocessing script when processing malicious input created by an attacker. A local user can provide malicious input to execute arbitrary code.


7) Code Injection (CVE-ID: CVE-2025-33250)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to code injection in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.


8) Code Injection (CVE-ID: CVE-2025-33251)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to code injection in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.


9) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33252)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in NeMo Framework when processing attacker-controlled input. A local user can provide attacker-controlled input to execute arbitrary code.


10) Deserialization of Untrusted Data (CVE-ID: CVE-2025-33253)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in NeMo Framework when loading a maliciously crafted file. A local user can load a maliciously crafted file to execute arbitrary code.


Remediation

Install update from vendor's website.