Description
NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.
Published: 2026-03-31
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure, data tampering, and partial denial of service
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from a defect in NVIDIA JetPack’s system initialization routine that permits an unprivileged local user to instantiate a resource with insecure default settings. The weakness is identified as CWE‑1188, a privilege‑based resource initialization flaw. Successful exploitation can expose encrypted data, allow malicious alteration of system state, and result in a limited denial of service for all devices sharing the same machine identifier.

Affected Systems

The flaw impacts NVIDIA Jetson devices in the Xavier and Orin families, including the AGX Xavier 32 GB, 64 GB, and industrial variants, the AGX Orin 32 GB, 64 GB, and industrial variants, the Orin Nano 4 GB, 8 GB, and Super Developer Kit, the Orin NX 8 GB, 16 GB, and the Xavier NX 8 GB, 16 GB. These systems run JetPack and JetPack Linux distributions.

Risk and Exploitability

With a CVSS score of 8.3, the vulnerability carries high severity, but an EPSS score of less than 1 % indicates a low current likelihood of exploitation. It is not listed in CISA’s KEV catalog. The description specifies that local, unprivileged access is required, making remote attacks unlikely. If local access is obtained, the impact spans confidentiality breach, integrity compromise, and partial availability loss across devices sharing the same identifier.

Generated by OpenCVE AI on April 3, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest JetPack release that contains the initialization patch, as documented by NVIDIA.
  • Apply any available JetPack Linux firmware updates that mitigate the issue.
  • If a patch is not yet available, restrict local user accounts to the minimal privileges needed for normal operation and monitor system logs for unexpected resource initialization events.

Generated by OpenCVE AI on April 3, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Privilege-Based Resource Initialization Weakness on NVIDIA Jetson Devices

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia jetson Agx Orin 32gb
Nvidia jetson Agx Orin 64gb
Nvidia jetson Agx Orin Developer Kit
Nvidia jetson Agx Orin Industrial
Nvidia jetson Agx Xavier 32gb
Nvidia jetson Agx Xavier 64gb
Nvidia jetson Agx Xavier Industrial
Nvidia jetson Linux
Nvidia jetson Orin Nano 4gb
Nvidia jetson Orin Nano 8gb
Nvidia jetson Orin Nano Super Developer Kit
Nvidia jetson Orin Nx 16gb
Nvidia jetson Orin Nx 8gb
Nvidia jetson Xavier Nx 16gb
Nvidia jetson Xavier Nx 8gb
CPEs cpe:2.3:h:nvidia:jetson_agx_orin_32gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_64gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_developer_kit:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_industrial:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_32gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_64gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_industrial:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_4gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_8gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_super_developer_kit:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nx_16gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nx_8gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_xavier_nx_16gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_xavier_nx_8gb:-:*:*:*:*:*:*:*
cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*
Vendors & Products Nvidia jetson Agx Orin 32gb
Nvidia jetson Agx Orin 64gb
Nvidia jetson Agx Orin Developer Kit
Nvidia jetson Agx Orin Industrial
Nvidia jetson Agx Xavier 32gb
Nvidia jetson Agx Xavier 64gb
Nvidia jetson Agx Xavier Industrial
Nvidia jetson Linux
Nvidia jetson Orin Nano 4gb
Nvidia jetson Orin Nano 8gb
Nvidia jetson Orin Nano Super Developer Kit
Nvidia jetson Orin Nx 16gb
Nvidia jetson Orin Nx 8gb
Nvidia jetson Xavier Nx 16gb
Nvidia jetson Xavier Nx 8gb

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Privilege-Based Resource Initialization Weakness on NVIDIA Jetson Devices
First Time appeared Nvidia
Nvidia jetson Orin Series
Nvidia jetson Xavier Series
Vendors & Products Nvidia
Nvidia jetson Orin Series
Nvidia jetson Xavier Series

Tue, 31 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.
Weaknesses CWE-1188
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Nvidia Jetson Agx Orin 32gb Jetson Agx Orin 64gb Jetson Agx Orin Developer Kit Jetson Agx Orin Industrial Jetson Agx Xavier 32gb Jetson Agx Xavier 64gb Jetson Agx Xavier Industrial Jetson Linux Jetson Orin Nano 4gb Jetson Orin Nano 8gb Jetson Orin Nano Super Developer Kit Jetson Orin Nx 16gb Jetson Orin Nx 8gb Jetson Orin Series Jetson Xavier Nx 16gb Jetson Xavier Nx 8gb Jetson Xavier Series
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-04-02T03:55:59.949Z

Reserved: 2026-01-21T19:09:27.438Z

Link: CVE-2026-24148

cve-icon Vulnrichment

Updated: 2026-04-01T14:00:41.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T17:16:29.180

Modified: 2026-04-03T19:12:24.300

Link: CVE-2026-24148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:57Z

Weaknesses