NVIDIA BioNeMo Framework Deserialization Vulnerability Advisory (CVE-2026-24164/165)

## NVIDIA BioNeMo Framework Security Bulletin - March 2026 ### Vulnerability Overview | CVE ID | Description | Vector | CVSS Score | Severity | CWE | Impact | |--------|------|------|-----------|----------|-----|------| | CVE-2026-24164 | NVIDIA BioNeMo contains a vulnerability where a user may cause deserialization of untrusted data. Successful exploitation may lead to code execution, denial of service, information disclosure, and data tampering | `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` | 8.8 | High | CWE-502 | Code Execution, Denial of Service, Information Disclosure, Data Tampering | | CVE-2026-24165 | NVIDIA BioNeMo contains a vulnerability where a user may cause deserialization of untrusted data. Successful exploitation may lead to code execution, denial of service, information disclosure, and data tampering | `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` | 7.8 | High | CWE-502 | Code Execution, Denial of Service, Information Disclosure, Data Tampering | ### Affected Scope | CVE ID | Affected Product | Platform/System | Affected Versions | Fixed Version | |--------|-----------|-----------|-----------|----------| | CVE-2026-24164CVE-2026-24165 | BioNeMo Framework | Linux | All versions prior to commit `e5e58c8` | Code branch containing commit `e5e58c8` | ### Remediation **Security Update:** Clone or update the software from the [NVIDIA/BioNeMoFramework GitHub repository](https://github.com/NVIDIA/BioNeMoFramework), ensuring it includes commit `e5e58c8` or later. **Mitigation:** Install the updated version provided in the security update above. ### Acknowledgments - CVE-2026-24164: Thomas Keefer, Dan Ardor - CVE-2026-24165: chen990724 --- *Note: This page does not contain POC code or exploit code.*

Goal Reached Thanks to every supporter — we hit 100%!

NVIDIA BioNeMo Framework Deserialization Vulnerability Advisory (CVE-2026-24164/165)