Cyber Posture

CVE-2025-33236

High

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33236 is a high-severity Code Injection (CWE-94) vulnerability in Nvidia Nemo. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents code injection by validating malicious data inputs at entry points in the NeMo Framework.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific code injection flaw through patching as advised in the NVIDIA security bulletin.

SI-16 Memory Protection good match
prevent

Protects against unauthorized code execution from injected malicious data via memory safeguards like non-executable regions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

CWE-94 code injection directly enables local arbitrary code execution (T1059) and privilege escalation (T1068) with low privileges and no user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Deeper analysisAI

CVE-2025-33236 is a code injection vulnerability (CWE-94) in the NVIDIA NeMo Framework, where malicious data crafted by an attacker can lead to arbitrary code execution. Published on 2026-02-18, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with local access and low privileges required.

A local attacker with low-level privileges can exploit this vulnerability with low complexity and no user interaction. Successful exploitation might result in arbitrary code execution, escalation of privileges, information disclosure, and data tampering within the affected NeMo Framework environment.

Mitigation details are available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5762, along with further analysis on the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2025-33236 and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33236. Security practitioners should consult these sources for patch information and workarounds specific to NeMo Framework deployments.

Details

CWE(s)
CWE-94

Affected Products

nvidia
nemo
≤ 2.6.1

CVEs Like This One

CVE-2025-33251Same product: Nvidia Nemo
CVE-2025-33249Same product: Nvidia Nemo
CVE-2025-33246Same product: Nvidia Nemo
CVE-2025-33250Same product: Nvidia Nemo
CVE-2026-24157Same product: Nvidia Nemo
CVE-2026-24159Same product: Nvidia Nemo
CVE-2025-33241Same product: Nvidia Nemo
CVE-2025-33245Same product: Nvidia Nemo
CVE-2025-33243Same product: Nvidia Nemo
CVE-2025-33252Same product: Nvidia Nemo

References