CVE-2026-24148: Information Disclosure in NVIDIA Jetson
Platform
nvidia
Component
nvidia-jetson-for-jetpack
Fixed in
35.6.5
36.5.1
CVE-2026-24148 describes a vulnerability within the system initialization logic of NVIDIA Jetson for JetPack. This flaw allows an unprivileged attacker to trigger the initialization of a resource with insecure default settings. The potential impact includes information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID. Affected versions include all JetPack versions prior to 35.6.4; upgrading to version 35.6.4 resolves the issue.
Impact and Attack Scenarios
The core of this vulnerability lies in the insecure initialization of a system resource. An attacker, without requiring elevated privileges, can manipulate this process, forcing the resource to adopt a default configuration that lacks proper security controls. This can manifest in several ways. Firstly, it enables the potential disclosure of encrypted data, compromising sensitive information stored on the device. Secondly, the attacker could tamper with data, altering its integrity and potentially disrupting system functionality. Finally, the vulnerability can lead to a partial denial of service, impacting the availability of the device or services it provides, particularly in environments where multiple devices share the same machine ID.
Exploitation Context
CVE-2026-24148 was publicly disclosed on 2026-03-31. Its inclusion in the CISA KEV catalog is pending. Currently, no public proof-of-concept (POC) exploits have been released, but the potential for exploitation exists given the vulnerability's nature and the relatively straightforward attack vector. The severity rating of HIGH indicates a credible threat, and security teams should prioritize remediation.
Threat Intelligence
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-24148 is to upgrade to NVIDIA JetPack version 35.6.4 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, restricting access to sensitive resources based on machine ID could offer a limited layer of protection. Thoroughly review and harden the system initialization scripts to prevent unauthorized modifications. After upgrading, confirm the fix by verifying that the system resource initialization process now adheres to secure default configurations and that encrypted data remains protected.
How to fix
Update NVIDIA Jetson for JetPack to version 35.6.4 or later, or to version 36.5 or later, as appropriate, to mitigate this vulnerability. The update corrects the system initialization logic, preventing an unprivileged attacker from causing the initialization of a resource with an insecure default.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-24148 — Information Disclosure in NVIDIA Jetson?
CVE-2026-24148 is a HIGH severity vulnerability in NVIDIA Jetson for JetPack where an attacker can trigger insecure resource initialization, potentially leading to data disclosure and denial of service.
Am I affected by CVE-2026-24148 in NVIDIA Jetson?
Yes, if you are using NVIDIA Jetson for JetPack versions prior to 35.6.4, you are affected by this vulnerability.
How do I fix CVE-2026-24148 in NVIDIA Jetson?
Upgrade to NVIDIA JetPack version 35.6.4 or later to resolve this vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
Is CVE-2026-24148 being actively exploited?
While no public exploits are currently available, the vulnerability's nature suggests a potential for exploitation, and proactive mitigation is recommended.
Where can I find the official NVIDIA advisory for CVE-2026-24148?
Refer to the official NVIDIA security advisory for detailed information and updates regarding CVE-2026-24148: [https://www.nvidia.com/en-us/security/cve/CVE-2026-24148/]
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.