Platform
nvidia
Component
nvidia-jetson-for-jetpack
Fixed in
35.6.5
36.5.1
CVE-2026-24148 describes a vulnerability within the system initialization logic of NVIDIA Jetson for JetPack. This flaw allows an unprivileged attacker to trigger the initialization of a resource with insecure default settings. The potential impact includes information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID. Affected versions include all JetPack versions prior to 35.6.4; upgrading to version 35.6.4 resolves the issue.
The core of this vulnerability lies in the insecure initialization of a system resource. An attacker, without requiring elevated privileges, can manipulate this process, forcing the resource to adopt a default configuration that lacks proper security controls. This can manifest in several ways. Firstly, it enables the potential disclosure of encrypted data, compromising sensitive information stored on the device. Secondly, the attacker could tamper with data, altering its integrity and potentially disrupting system functionality. Finally, the vulnerability can lead to a partial denial of service, impacting the availability of the device or services it provides, particularly in environments where multiple devices share the same machine ID.
CVE-2026-24148 was publicly disclosed on 2026-03-31. Its inclusion in the CISA KEV catalog is pending. Currently, no public proof-of-concept (POC) exploits have been released, but the potential for exploitation exists given the vulnerability's nature and the relatively straightforward attack vector. The severity rating of HIGH indicates a credible threat, and security teams should prioritize remediation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24148 is to upgrade to NVIDIA JetPack version 35.6.4 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, restricting access to sensitive resources based on machine ID could offer a limited layer of protection. Thoroughly review and harden the system initialization scripts to prevent unauthorized modifications. After upgrading, confirm the fix by verifying that the system resource initialization process now adheres to secure default configurations and that encrypted data remains protected.
Update NVIDIA Jetson for JetPack to version 35.6.4 or later, or to version 36.5 or later, as appropriate, to mitigate this vulnerability. The update corrects the system initialization logic, preventing an unprivileged attacker from causing the initialization of a resource with an insecure default.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24148 is a HIGH severity vulnerability in NVIDIA Jetson for JetPack where an attacker can trigger insecure resource initialization, potentially leading to data disclosure and denial of service.
Yes, if you are using NVIDIA Jetson for JetPack versions prior to 35.6.4, you are affected by this vulnerability.
Upgrade to NVIDIA JetPack version 35.6.4 or later to resolve this vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
While no public exploits are currently available, the vulnerability's nature suggests a potential for exploitation, and proactive mitigation is recommended.
Refer to the official NVIDIA security advisory for detailed information and updates regarding CVE-2026-24148: [https://www.nvidia.com/en-us/security/cve/CVE-2026-24148/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.