CVE-2026-24148

Description

NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:nvidia:jetson_agx_orin_32gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:nvidia:jetson_agx_orin_64gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:nvidia:jetson_agx_orin_developer_kit:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:nvidia:jetson_agx_orin_industrial:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:nvidia:jetson_agx_xavier_32gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

NVIDIA Jetson for JetPack (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
Conceptual PoC for CVE-2026-24148
This script demonstrates a check for the insecure default initialization logic.
Note: This is a simulation based on the vulnerability description.
"""
import os
import sys

def check_insecure_initialization():
    # Simulate checking the initialization logic of Jetson resources
    # In a real scenario, this would interact with the specific system API.
    
    print("[*] Checking NVIDIA Jetson JetPack initialization logic...")
    
    # Hypothetical check: Does the resource init allow insecure defaults?
    # This simulates the condition where PR:L (Low Privilege) can trigger the bug.
    try:
        # Mocking a system check
        resource_status = os.popen("systemctl status jetson-init-service").read()
        if "insecure" in resource_status.lower():
            print("[!] Vulnerability detected: Resource initialized with insecure defaults.")
            return True
        else:
            print("[-] System appears to be patched or configured securely.")
            return False
    except Exception as e:
        print(f"[Error] Could not verify status: {e}")
        return None

if __name__ == "__main__":
    result = check_insecure_initialization()
    if result:
        sys.exit(1)
    else:
        sys.exit(0)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24148
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24148
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24148/
[4] VulDB https://vuldb.com/cve/CVE-2026-24148
[5] https://nvd.nist.gov/vuln/detail/CVE-2026-24148
[6] https://nvidia.custhelp.com/app/answers/detail/a_id/5797
[7] https://www.cve.org/CVERecord?id=CVE-2026-24148

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24148", "sourceIdentifier": "[email protected]", "published": "2026-03-31T17:16:29.180", "lastModified": "2026-04-03T19:12:24.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*", "versionEndExcluding": "35.6.4", "matchCriteriaId": "B73BF007-6D88-4803-B94B-647CCEC5E291"}, {"vulnerable": true, "criteria": "cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*", "versionStartIncluding": "36.0", "versionEndExcluding": "36.5", "matchCriteriaId": "23FF116C-64BD-4F4D-960F-92A289CB8150"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_orin_32gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "D196FDF9-FC0F-4411-826D-5A7416F26159"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_orin_64gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "2392844C-6B11-41EA-A280-3AF1BDB77DC2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_orin_developer_kit:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A7F9D64-EA34-4309-8B2B-293346BD6D25"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_orin_industrial:-:*:*:*:*:*:*:*", "matchCriteriaId": "211E860F-BEFF-4407-967B-3C1332268D8E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_xavier_32gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F92D471-8E65-41FC-A5DE-255136F6F989"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_xavier_64gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "B51F666B-F3ED-4CF3-B48E-B39BDE1C2579"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_agx_xavier_industrial:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C7C6B22-EBD3-4465-9852-4A4844AA714A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_orin_nano_4gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "80DA8F1E-9ED6-476A-9C9F-3DC231E5142D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_orin_nano_8gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD549248-1C2C-4A0C-9822-691F3D77AEB1"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_orin_nano_super_developer_kit:-:*:*:*:*:*:*:*", "matchCriteriaId": "6F4ECB54-9725-4BFA-A9E7-2F24EAE5BDAB"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_orin_nx_16gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "6D96D5C9-4F9F-4487-90B9-0D8D473D4C6B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_orin_nx_8gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "E3CF8EB6-767C-43F8-A327-A2D4A91A7CF1"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_xavier_nx_16gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "A36028A3-EE83-4158-9039-5C6C795FA048"}, {"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:jetson_xavier_nx_8gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "22852BE0-B587-48B4-A7B6-6496715C32EF"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24148", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24148", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}