NVIDIA SIL GEN3C and NeMo: Three Deserialization Flaws Disclosed, One Unauthenticated RCE
NVIDIA disclosed three high-severity vulnerabilities across its SIL GEN3C and NeMo AI frameworks, including an unauthenticated RCE via pickle deserialization rated CVSS 9.8.
Key findings
- CVE-2026-53805 in SIL GEN3C is an unauthenticated RCE via pickle deserialization (CVSS 9.8)
- Two NeMo Framework flaws (CVE-2026-24228, CVE-2026-24155) both rated High (CVSS 7.8)
- All three vulnerabilities involve unsafe deserialization or code injection
- No patch or advisory published yet for any of the three CVEs as of disclosure
- SIL GEN3C flaw requires no authentication — a single crafted HTTP request can trigger RCE
NVIDIA disclosed three high-severity vulnerabilities across two of its AI/ML frameworks on June 16–17, 2026, all rooted in unsafe deserialization or code injection — two in the NeMo Framework and one in the SIL GEN3C inference server, the latter carrying a CVSS score of 9.8 and requiring no authentication to exploit.
SIL GEN3C: Unauthenticated RCE via Pickle Deserialization
The most critical of the batch is CVE-2026-53805 (CVSSv3 9.8), affecting NVIDIA's Spatial Intelligence Lab (SIL) GEN3C model. The vulnerability lives in the inference API server, specifically the /request-inference and /seed-model endpoints, which deserialize raw HTTP request bodies using Python's pickle.loads() without any authentication or input validation. Because Python's pickle protocol can execute arbitrary code during deserialization, an unauthenticated remote attacker can send a crafted pickle payload to achieve full remote code execution on the server. This is a textbook unsafe-deserialization flaw in a service that is presumably exposed to internal or external networks.
NeMo Framework: Two High-Severity Flaws
The NeMo Framework, NVIDIA's open-source toolkit for building and customizing large language models, received patches for two distinct vulnerabilities disclosed on June 16. CVE-2026-24228 (CVSSv3 7.8) is another deserialization-of-untrusted-data issue, which could lead to code execution, privilege escalation, data tampering, and information disclosure on Linux deployments. CVE-2026-24155 (CVSSv3 7.8) is a code injection vulnerability affecting all platforms, carrying the same potential impact of code execution, privilege escalation, information disclosure, and data tampering. Both require some level of access (the CVSS score of 7.8 typically indicates local or authenticated access), making them less immediately dangerous than the SIL GEN3C flaw but still serious in multi-tenant or shared AI infrastructure.
Response and Patch Status
NVIDIA has not yet published a consolidated security advisory for these three CVEs as of the disclosure date. Users of SIL GEN3C should immediately restrict network access to the inference API endpoints and avoid exposing them to untrusted networks until a patch is released. For NeMo Framework, NVIDIA recommends updating to the latest version once the advisory is published. Given the severity of CVE-2026-53805, organizations running GEN3C in production should treat this as a priority — the vulnerability requires no authentication and is trivially exploitable via a single HTTP request.
Why This Batch Matters
This disclosure highlights a recurring pattern in AI/ML infrastructure: research-grade codebases like GEN3C and NeMo are increasingly being deployed in production environments without the security hardening expected of enterprise software. The use of Python's pickle for network-facing deserialization is a well-known anti-pattern, and its presence in an NVIDIA research project underscores the gap between rapid AI innovation and secure deployment practices. Users of both frameworks should monitor NVIDIA's security advisories closely and apply patches as soon as they become available.