Platform
python
Component
bionemo-framework
Fixed in
2.0.1
CVE-2026-24164 describes a Denial of Service (DoS) vulnerability discovered in the NVIDIA BioNeMo Framework. This flaw stems from the framework's handling of untrusted data during deserialization, potentially allowing an attacker to disrupt service and compromise system integrity. All versions of BioNeMo Framework prior to commit f2c2b14 are affected, and NVIDIA has released a patch in version f2c2b14.
The primary impact of CVE-2026-24164 is a denial of service. An attacker could craft malicious input that triggers the deserialization process with untrusted data, causing the BioNeMo Framework to crash or become unresponsive. Beyond DoS, the vulnerability description indicates potential for code execution, information disclosure, and data tampering, significantly expanding the attack surface. Successful exploitation could allow an attacker to gain unauthorized access to sensitive data, modify system configurations, or even execute arbitrary code on the affected system, depending on the framework's integration and privileges.
CVE-2026-24164 was publicly disclosed on 2026-03-31. The vulnerability's potential for code execution suggests a potentially high exploitation probability, although no public proof-of-concept (PoC) has been released as of this writing. It is not currently listed on the CISA KEV catalog. The combination of a high CVSS score and the potential for code execution warrants close monitoring and prompt patching.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-24164 is to immediately upgrade to BioNeMo Framework version f2c2b14 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing input validation and sanitization measures to prevent the deserialization of untrusted data. While not a complete fix, this can reduce the attack surface. Monitor system logs for unusual deserialization activity. After upgrading, verify the fix by attempting to reproduce the vulnerability with known malicious input and confirming that the framework handles it gracefully without crashing or exhibiting unexpected behavior.
Update to a version that includes the commit f2c2b14. This will correct the untrusted data deserialization vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24164 is a denial-of-service vulnerability in the NVIDIA BioNeMo Framework, allowing attackers to disrupt service through untrusted data deserialization.
Yes, if you are using BioNeMo Framework versions prior to f2c2b14, you are affected by this vulnerability.
Upgrade to BioNeMo Framework version f2c2b14 or later to remediate the vulnerability. Input validation can be used as a temporary workaround.
While no public exploits are currently known, the high CVSS score and potential for code execution suggest a possibility of exploitation.
Refer to the NVIDIA security bulletin for details and updates regarding CVE-2026-24164: [https://www.nvidia.com/en-us/security/cve/CVE-2026-24164](https://www.nvidia.com/en-us/security/cve/CVE-2026-24164)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.