// 5 ZERO-DAY · 3 CVE · 5 EXPLOIT IN THE LAST 24H
An unsafe deserialization flaw in NVIDIA NeMo Framework checkpoints enables remote code execution. User interaction is required, but the bug exposes MLOps pipelines that routinely pull pre-trained weights from public repositories.

On July 15, 2026, TrendAI Zero Day Initiative published advisory ZDI-26-429, documenting a remote code execution vulnerability in the NVIDIA NeMo Framework, a platform widely used for training language models and generative AI systems. The flaw, reported to the vendor on February 5, 2026, resides in the unsafe deserialization of checkpoints—pre-trained weight files that researchers and MLOps teams download and share daily across public repositories, cloud instances, and enterprise environments.

Key Takeaways
  • The advisory ZDI-26-429 confirms RCE in NVIDIA NeMo Framework via deserialization of untrusted data during checkpoint parsing.
  • User interaction is required: the victim must open a malicious file or visit a compromised page.
  • CVE-2026-24157 has been assigned to the same vulnerability with a CVSS 7.8 score, rated HIGH, according to correlated ZDI records.
  • NVIDIA has released a patch; coordinated disclosure occurred on July 15, 2026, roughly five months after the initial report.

The Flaw in Parsing: When the Checkpoint Becomes a Vector

The specific vulnerability lies in the parsing of checkpoints within the NeMo framework. The mechanism, described in the ZDI advisory, stems from the lack of validation of user-supplied data, which can cause the deserialization of untrusted data. In short: a seemingly legitimate checkpoint, loaded during a training or inference process, executes arbitrary code in the context of the current process.

"This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA NeMo Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."

The user-interaction requirement does not diminish the risk. In MLOps workflows, the automatic download of weights from Hugging Face, GitHub, or shared buckets is standard practice. A researcher who downloads a compromised checkpoint and loads it into a Jupyter notebook or a training job on a GPU cluster exposes the entire environment without further barriers. The process typically runs with the privileges of the user launching the training, with access to mounted datasets, environment variables, and valuable compute resources.

CVE-2026-24157 and the Convergence of Records: Same Flaw, Double Confirmation

Alongside advisory ZDI-26-429, correlated Zero Day Initiative records document CVE-2026-24157 assigned to the same vulnerability in NVIDIA NeMo Framework, with an identical description of deserialization of untrusted data and RCE. The CVSS 7.8 score, with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicates high impact on confidentiality, integrity, and availability, albeit with a local attack vector and low privileges required.

The primary ZDI-26-429 source does not explicitly state a CVE or CVSS in the advisory body; these elements emerge from the correlated secondary record. The convergence on product, vulnerability class, and impact type reinforces the claim's solidity, even though the two identifiers are not explicitly cross-referenced in the text.

Why It Matters: The Blind Spot in the ML Trust Chain

The dossier does not specify which exact framework versions are affected, nor does it detail the vulnerable serialization format—which could involve pickle, the native PyTorch format, or other checkpoint persistence mechanisms. This gap has operational relevance: without a version list, verifying exposure requires a case-by-case audit of active NeMo deployments.

The dossier neither documents nor confirms nor rules out in-the-wild exploitation. The source does not specify the preferred distribution vector for the malicious file—email, compromised repository, or other—nor does it clarify whether the checkpoint loading process runs with elevated or limited privileges.

The official NVIDIA security advisory site (nvidia.custhelp.com) returned a 403 error at the time of verification, making any additional details on the released patch unrecoverable.

What remains documented is sufficient to outline a structural risk profile. The established practice of sharing pre-trained checkpoints—a pillar of the AI ecosystem—rests on an implicit chain of trust: the downloaded weight is executable code disguised as data. When deserialization is unprotected, that chain becomes a systematic attack surface.

Timeline and Disclosure Dynamics

The vulnerability was reported to NVIDIA on February 5, 2026. Coordinated public release occurred on July 15, 2026, an interval of roughly five months consistent with responsible disclosure practices. Researcher Michael DePlante (@izobashi), affiliated with TrendAI Zero Day Initiative, is credited with the discovery.

NVIDIA has released a patch, as stated in the advisory. The inaccessibility of the official portal prevents verification of specific patch URLs or application instructions.

The Read: MLOps Without Sandboxing, a Security Misalignment

Case ZDI-26-429 illuminates a cultural misalignment. Generative AI has redefined development pipeline velocity, but has not introduced corresponding security controls on the perimeter of input data—in this case, model checkpoints treated as passive blobs rather than active code. The absence of sandboxing during the weight-loading phase, combined with pressure to reduce experimentation time, creates conditions where a single compromised file can propagate from a public repository to an entire fleet of GPU nodes.

The user-interaction requirement, while mitigating attack scalability, does not neutralize it in environments where opening checkpoints is a routine, automated operation. Proactive verification of ML artifacts—hashes, signatures, isolation of the loading process—remains a non-standardized practice, and the dossier does not indicate that NVIDIA has introduced such mechanisms in the released patch.

FAQ

Does the vulnerability allow a fully remote attack without victim action?

No. Advisory ZDI-26-429 explicitly states that user interaction is required: the victim must visit a malicious page or open a malicious file. It does not constitute an automatic drive-by exploit.

Does CVE-2026-24157 necessarily coincide with ZDI-26-429?

ZDI records converge on product, vulnerability class, and technical description, but no explicit cross-reference exists confirming the identity of the two identifiers. The brief does not authorize presenting them as certifiably equivalent.

What is not documented in the dossier?

The following do not emerge: specific affected versions, vulnerable serialization format, patch details, presence of in-the-wild exploits, and content of the NVIDIA site (inaccessible due to a 403 error at the time of verification).

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. nvidia.custhelp.com