Skip to main content

Nvidia CVE-2026-24148

| EUVDEUVD-2026-17510 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-03-31 nvidia
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 17:16 euvd
EUVD-2026-17510
Analysis Generated
Mar 31, 2026 - 17:16 vuln.today
CVE Published
Mar 31, 2026 - 16:22 nvd
HIGH 8.3

DescriptionCVE.org

NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.

AnalysisAI

NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.

Technical ContextAI

This vulnerability (CWE-1188: Initialization of a Resource with an Insecure Default) resides in NVIDIA JetPack's system initialization logic for Jetson Xavier and Orin series embedded computing platforms. The flaw stems from insecure default machine ID generation or assignment during system bootstrap. Machine IDs typically serve as unique identifiers for cryptographic key derivation, device authentication, and session management. When multiple devices share identical default machine IDs due to improper initialization, cryptographic operations that depend on device uniqueness become compromised. An attacker exploiting this can decrypt data encrypted with keys derived from the shared machine ID, inject malicious data across the device cohort, or disrupt services by manipulating shared identity-based resources. The CPE strings indicate broad applicability across NVIDIA's Jetson Xavier and Orin product lines running affected JetPack versions, suggesting this is a systemic issue in the platform's identity management architecture rather than a single component bug.

RemediationAI

Apply the vendor-released security update detailed in NVIDIA Security Bulletin 5797 available at https://nvidia.custhelp.com/app/answers/detail/a_id/5797. The advisory should specify patched JetPack versions that correct the insecure machine ID initialization logic. Upgrading to the fixed JetPack release is the primary remediation path, ensuring proper unique machine ID generation during system initialization. After applying patches, organizations should verify that deployed Jetson devices have unique machine identifiers by auditing device configurations and cryptographic key material. In environments where immediate patching is infeasible, implement network segmentation to isolate Jetson devices from untrusted networks, enforce strict authentication controls to prevent low-privilege account compromise (mitigating PR:L attack requirement), and monitor for anomalous cross-device authentication or data access patterns that could indicate exploitation. Review and rotate any cryptographic keys or certificates that may have been derived from the insecure default machine IDs on previously deployed devices.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Share

CVE-2026-24148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy