NVIDIA BioNeMo and FLARE SDK Hit by High-Severity Deserialization Flaws
NVIDIA disclosed two high-severity deserialization vulnerabilities affecting BioNeMo and the FLARE SDK, both tracked under CWE-502 and capable of compromising confidentiality, integrity, and availability. CVE-2026-24164 impacts BioNeMo and could allow code execution, denial of service, information disclosure, and data tampering through deserialization of untrusted data. The flaw carries a CVSS:3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating remote attack potential with low complexity and high impact.
A second flaw, CVE-2026-24186, affects the NVIDIA FLARE SDK in FOBS handling, where a malicious FOBS-encoded message can trigger unsafe deserialization and lead to code execution. That issue was scored CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting similarly severe impact with no user interaction required. NVIDIA advisory material, NVD entries, and official CVE records were published for both vulnerabilities, signaling that organizations using either platform should review vendor guidance and prioritize remediation.
Timeline
Apr 28, 2026
CVE-2026-24186 disclosed for NVIDIA FLARE SDK
A deserialization vulnerability in the NVIDIA FLARE SDK's FOBS component was disclosed as CVE-2026-24186. NVIDIA indicated that a malicious FOBS-encoded message could trigger the flaw and lead to code execution, with references added to NVD, NVIDIA's advisory, and the CVE record.
Mar 31, 2026
CVE-2026-24164 disclosed for NVIDIA BioNeMo
A deserialization of untrusted data vulnerability in NVIDIA BioNeMo was reported and assigned CVE-2026-24164. The flaw could enable code execution, denial of service, information disclosure, and data tampering, and references were added to NVD, NVIDIA's advisory, and the CVE record.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Critical Deserialization Vulnerabilities in AI and Analytics Frameworks
Multiple high-severity deserialization vulnerabilities have been identified in widely used AI and analytics frameworks, including NVIDIA Isaac Lab, MooreThreads torch_musa, and NVIDIA Merlin components. These flaws allow attackers to exploit unsafe deserialization processes, potentially leading to remote code execution or denial-of-service conditions on affected systems. In the case of MooreThreads torch_musa, the vulnerability arises from the use of `pickle.load()` on user-controlled files without validation, enabling arbitrary code execution with the privileges of the victim process. Similarly, NVIDIA Isaac Lab and Merlin frameworks are affected by deserialization issues that could be exploited remotely, with Merlin's NVTabular and Transformers4Rec components specifically highlighted for their susceptibility to code execution and data tampering attacks. Security advisories urge immediate patching, as these vulnerabilities are remotely exploitable and pose significant risks to enterprise environments. The affected products span various versions, and organizations using these frameworks are advised to review vendor guidance and apply available security updates to mitigate the threat. The vulnerabilities have been assigned high or critical CVSS scores, underscoring the urgency for remediation to prevent potential exploitation in production environments.
1 months ago
Critical Code Execution Vulnerability in NVIDIA Isaac Lab AI Framework
A critical deserialization vulnerability (CVE-2025-32210) was discovered in NVIDIA Isaac Lab, a component of the NVIDIA Isaac Sim framework, allowing attackers with low privileges and minimal user interaction to execute arbitrary code on affected systems. The flaw, categorized as CWE-502, affects all versions of Isaac Lab prior to v2.3.0 and carries a CVSS score of 9.0, indicating a high risk to confidentiality, integrity, and availability. NVIDIA responded by releasing a security update that implements proper input validation and secure data handling, urging all users to upgrade to Isaac Lab v2.3.0 immediately to mitigate the risk of exploitation. The vulnerability also prompted broader advisories regarding critical security patches for NVIDIA's AI platforms, including both Isaac Lab and the NeMo Framework, due to the risk of full code execution if left unpatched. Organizations using these AI tools are strongly advised to verify their deployments and apply the latest security updates across all environments. The urgency of the patch is underscored by the potential for attackers to achieve complete system compromise through network-based attacks requiring only low-level access and user interaction.
1 months ago
NVIDIA Display Driver DLL Loading Vulnerability and Related High-Severity Flaws
NVIDIA has disclosed a high-severity vulnerability in its Display Driver, identified as CVE-2025-23309, which involves an uncontrolled DLL loading path. This flaw could allow attackers to cause arbitrary denial of service, escalate privileges, execute code, or tamper with data on affected systems. The vulnerability is not remotely exploitable, indicating that an attacker would require local access to exploit the issue. According to the official CVE entry, the vulnerability was published on October 10, 2025, and is being tracked by NVIDIA’s Product Security Incident Response Team (PSIRT). While the specific affected product versions are not listed in the CVE feed, the issue is confirmed to impact NVIDIA Display Driver software. In parallel, security reports highlight that NVIDIA has released patches addressing multiple high-severity vulnerabilities in its GPU drivers, some of which risk remote code execution (RCE) and privilege escalation. These patches are part of NVIDIA’s ongoing efforts to mitigate risks associated with their graphics drivers, which are widely used in both consumer and enterprise environments. The vulnerabilities addressed in the latest update could potentially be leveraged by attackers to gain unauthorized access or control over systems running vulnerable driver versions. Organizations using NVIDIA GPU drivers are strongly advised to review the latest security advisories and apply the recommended patches to reduce exposure. The disclosure underscores the importance of maintaining up-to-date drivers, as vulnerabilities in such low-level system components can have significant security implications. Security teams should also monitor for any signs of exploitation attempts targeting these flaws, especially in environments where local access by untrusted users is possible. The high CVSS score of 8.2 for CVE-2025-23309 reflects the potential impact of successful exploitation. NVIDIA’s prompt response and patch release demonstrate the company’s commitment to addressing security issues in its products. Enterprises should ensure that their asset inventories accurately reflect the presence of NVIDIA drivers and prioritize patching accordingly. The incident also highlights the broader trend of attackers targeting device drivers as a means to bypass operating system security controls. Given the critical role of GPU drivers in system performance and security, timely remediation is essential to prevent potential compromise. Security advisories from both NVIDIA and independent security researchers provide detailed guidance on mitigation steps. Regular vulnerability management processes should incorporate driver updates as a key component of endpoint security. Finally, organizations should consider implementing additional controls, such as application whitelisting and user privilege restrictions, to further reduce the risk of exploitation.
1 months ago