Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.
AnalysisAI
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
Technical ContextAI
This vulnerability (CWE-1188: Initialization of a Resource with an Insecure Default) resides in NVIDIA JetPack's system initialization logic for Jetson Xavier and Orin series embedded computing platforms. The flaw stems from insecure default machine ID generation or assignment during system bootstrap. Machine IDs typically serve as unique identifiers for cryptographic key derivation, device authentication, and session management. When multiple devices share identical default machine IDs due to improper initialization, cryptographic operations that depend on device uniqueness become compromised. An attacker exploiting this can decrypt data encrypted with keys derived from the shared machine ID, inject malicious data across the device cohort, or disrupt services by manipulating shared identity-based resources. The CPE strings indicate broad applicability across NVIDIA's Jetson Xavier and Orin product lines running affected JetPack versions, suggesting this is a systemic issue in the platform's identity management architecture rather than a single component bug.
RemediationAI
Apply the vendor-released security update detailed in NVIDIA Security Bulletin 5797 available at https://nvidia.custhelp.com/app/answers/detail/a_id/5797. The advisory should specify patched JetPack versions that correct the insecure machine ID initialization logic. Upgrading to the fixed JetPack release is the primary remediation path, ensuring proper unique machine ID generation during system initialization. After applying patches, organizations should verify that deployed Jetson devices have unique machine identifiers by auditing device configurations and cryptographic key material. In environments where immediate patching is infeasible, implement network segmentation to isolate Jetson devices from untrusted networks, enforce strict authentication controls to prevent low-privilege account compromise (mitigating PR:L attack requirement), and monitor for anomalous cross-device authentication or data access patterns that could indicate exploitation. Review and rotate any cryptographic keys or certificates that may have been derived from the insecure default machine IDs on previously deployed devices.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17510