CVE-2025-33251
Published: 18 February 2026
Summary
CVE-2025-33251 is a high-severity Code Injection (CWE-94) vulnerability in Nvidia Nemo. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and remediation of flaws like code injection in NVIDIA NeMo Framework through patching.
Enforces least privilege to limit the capabilities of local low-privilege attackers required for exploiting this vulnerability.
Implements memory safeguards such as DEP and ASLR to protect against code injection attacks like CWE-94 in the framework.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-94 code injection in NeMo enables arbitrary code execution (T1059) and local exploitation for privilege escalation or impact (T1068).
NVD Description
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
Deeper analysisAI
CVE-2025-33251 is a vulnerability in the NVIDIA NeMo Framework that could allow an attacker to cause remote code execution. A successful exploit might lead to code execution, denial of service, information disclosure, and data tampering. The issue is associated with CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with local attack vector, low attack complexity, and requirements for low privileges but no user interaction.
Exploitation requires a local attacker with low-level privileges on the affected system. Upon successful exploitation, the attacker can achieve high impacts across confidentiality, integrity, and availability, including arbitrary code execution, service disruption, sensitive data exposure, and unauthorized data modification.
Mitigation guidance is available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5762, the NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2025-33251, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33251. The vulnerability was published on 2026-02-18.
Details
- CWE(s)