{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24154", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:29.850Z", "datePublished": "2026-03-31T16:23:34.752Z", "dateUpdated": "2026-03-31T17:46:32.434Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-31T16:23:34.752Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, denial of service, data tampering, information disclosure"}]}], "affected": [{"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "platforms": ["Jetson Linux(35)"], "versions": [{"status": "affected", "version": "All versions prior to 35.6.4"}], "defaultStatus": "unaffected"}, {"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "platforms": ["Jetson Linux(36)"], "versions": [{"status": "affected", "version": "All versions prior to 36.5"}], "defaultStatus": "unaffected"}, {"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "platforms": ["Jetson Linux(38)"], "versions": [{"status": "affected", "version": "38.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24154"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24154"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.6, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:46:16.608804Z", "id": "CVE-2026-24154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:46:32.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T17:46:16.608804Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:46:27.806Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, denial of service, data tampering, information disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "versions": [{"status": "affected", "version": "All versions prior to 35.6.4"}], "platforms": ["Jetson Linux(35)"], "defaultStatus": "unaffected"}, {"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "versions": [{"status": "affected", "version": "All versions prior to 36.5"}], "platforms": ["Jetson Linux(36)"], "defaultStatus": "unaffected"}, {"vendor": "NVIDIA", "product": "Jetson Xavier Series, Jetson Orin Series and Jetson Thor", "versions": [{"status": "affected", "version": "38.2"}], "platforms": ["Jetson Linux(38)"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24154"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24154"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-03-31T16:23:34.752Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24154", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:46:32.434Z", "dateReserved": "2026-01-21T19:09:29.850Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-03-31T16:23:34.752Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure."}], "id": "CVE-2026-24154", "lastModified": "2026-03-31T17:16:30.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-03-31T17:16:30.680", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24154"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24154"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["jetson_linux(35)"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,35.6.4)"}}, {"platform": ["Jetson Linux(36)"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,36.5)"}}, {"platform": ["jetson_linux(38)"], "status": "affected", "versions": {"scheme": "generic", "value": "38.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "jetson_orin_series", "vendor": "nvidia"}, {"configurations": [{"platform": ["jetson_linux(35)"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,35.6.4)"}}, {"platform": ["Jetson Linux(36)"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,36.5)"}}, {"platform": ["jetson_linux(38)"], "status": "affected", "versions": {"scheme": "generic", "value": "38.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "jetson_thor", "vendor": "nvidia"}, {"configurations": [{"platform": ["jetson_linux(35)"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,35.6.4)"}}, {"platform": ["Jetson Linux(36)"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,36.5)"}}, {"platform": ["jetson_linux(38)"], "status": "affected", "versions": {"scheme": "generic", "value": "38.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "jetson_xavier_series", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-03-31T17:21:28.718015+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware or security patch released by NVIDIA for the Jetson board.", "If a patch is not yet available, restrict physical access to the board and enforce strict access controls.", "Enable bootloader write protection if supported to prevent tampering with initrd.", "Review system logs for unexpected initrd arguments or abnormal boot behavior."], "summary": {"action": "Patch", "impact": "Code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects NVIDIA Jetson devices including the Xavier Series, Orin Series, and Thor. No specific affected firmware or hardware revisions are listed, so all current models remain potentially vulnerable until patched.", "description_and_impact": "The CVE details a flaw in the initrd of NVIDIA Jetson Linux that allows an attacker with physical access to supply malformed command line arguments during boot. This misconfiguration permits injection of arbitrary commands that can be executed with root privileges, leading to code execution, privilege escalation, denial of service, data tampering, and disclosure of sensitive information. The weakness is classed as OS command injection (CWE\u201178).", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity level. The lack of an EPSS score and absence from the KEV catalog suggest the exploit has not been widely seen in the wild yet, but the local physical access requirement reduces the attack surface. Nevertheless, once an attacker reaches the device, executing malicious commands from the initrd can compromise the entire system. Administrators should treat this as a critical risk while the device is physically exposed."}}}}, "created": "2026-03-31T19:53:57.779344+00:00", "title": "Physical Access Exploit Allows Unauthorized Command Injection in NVIDIA Jetson Initrd", "updated": "2026-03-31T20:37:55.418682+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$jetson_orin_series", "nvidia$PRODUCT$jetson_thor", "nvidia$PRODUCT$jetson_xavier_series"]}