Login Sign Up

CVE-2024-0081

8.6 HIGH
Denial of Service

📋 TL;DR

This vulnerability in NVIDIA's NeMo framework allows attackers to cause unlimited resource allocation in the ASR web application component, leading to server-side denial of service. It affects Ubuntu systems running vulnerable versions of the NeMo framework. The vulnerability is particularly concerning for systems exposed to untrusted networks.

💻 Affected Systems

Products:
  • NVIDIA NeMo Framework
Versions: Versions prior to 1.21.2
Operating Systems: Ubuntu
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the tools/asr_webapp component of the NeMo framework.

📦 What is this software?

Nemo by Nvidia

View all CVEs affecting Nemo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the ASR web application, potentially affecting dependent services and causing extended downtime.

🟠

Likely Case

Degraded performance or temporary unavailability of the ASR web application service.

🟢

If Mitigated

Minimal impact with proper resource limits and network segmentation in place.

🌐 Internet-Facing: HIGH - The vulnerability affects a web application component that could be exposed to external attackers.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability involves resource allocation without limits, which typically requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.2

Vendor Advisory: https://github.com/NVIDIA/NeMo/security/advisories/GHSA-x392-p65g-4rxx

Restart Required: Yes

Instructions:

1. Update NVIDIA NeMo to version 1.21.2 or later. 2. Restart the ASR web application service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Implement Resource Limits

linux

Configure system-level resource limits for the ASR web application process

ulimit -v [memory_limit]
ulimit -n [file_descriptor_limit]

Network Segmentation

linux

Restrict network access to the ASR web application to trusted sources only

iptables -A INPUT -p tcp --dport [asr_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [asr_port] -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor resource usage and implement automated alerts for abnormal consumption

🔍 How to Verify

Check if Vulnerable:

Check the NeMo version and verify if tools/asr_webapp is running on a version prior to 1.21.2

Check Version:

python -c "import nemo; print(nemo.__version__)"

Verify Fix Applied:

Confirm NeMo version is 1.21.2 or later and test ASR web application functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory allocation patterns
  • ASR webapp process crashes or restarts
  • High resource consumption alerts

Network Indicators:

  • Unusual traffic patterns to ASR webapp port
  • Multiple rapid requests from single source

SIEM Query:

source="asr_webapp" AND (memory_usage>threshold OR process_restart=true)

📊 Metadata

CVE ID: CVE-2024-0081
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-770
Published: April 5, 2024
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0081, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)