Description
NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.
Published: 2026-03-31
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: Code execution
Action: Patch
AI Analysis

Impact

The CVE details a flaw in the initrd of NVIDIA Jetson Linux that allows an attacker with physical access to supply malformed command line arguments during boot. This misconfiguration permits injection of arbitrary commands that can be executed with root privileges, leading to code execution, privilege escalation, denial of service, data tampering, and disclosure of sensitive information. The weakness is classed as OS command injection (CWE‑78).

Affected Systems

The vulnerability affects NVIDIA Jetson devices including the Xavier Series, Orin Series, and Thor. No specific affected firmware or hardware revisions are listed, so all current models remain potentially vulnerable until patched.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity level. The lack of an EPSS score and absence from the KEV catalog suggest the exploit has not been widely seen in the wild yet, but the local physical access requirement reduces the attack surface. Nevertheless, once an attacker reaches the device, executing malicious commands from the initrd can compromise the entire system. Administrators should treat this as a critical risk while the device is physically exposed.

Generated by OpenCVE AI on March 31, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch released by NVIDIA for the Jetson board.
  • If a patch is not yet available, restrict physical access to the board and enforce strict access controls.
  • Enable bootloader write protection if supported to prevent tampering with initrd.
  • Review system logs for unexpected initrd arguments or abnormal boot behavior.

Generated by OpenCVE AI on March 31, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Physical Access Exploit Allows Unauthorized Command Injection in NVIDIA Jetson Initrd
First Time appeared Nvidia
Nvidia jetson Orin Series
Nvidia jetson Thor
Nvidia jetson Xavier Series
Vendors & Products Nvidia
Nvidia jetson Orin Series
Nvidia jetson Thor
Nvidia jetson Xavier Series

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nvidia Jetson Orin Series Jetson Thor Jetson Xavier Series
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-03-31T17:46:32.434Z

Reserved: 2026-01-21T19:09:29.850Z

Link: CVE-2026-24154

cve-icon Vulnrichment

Updated: 2026-03-31T17:46:27.806Z

cve-icon NVD

Status : Received

Published: 2026-03-31T17:16:30.680

Modified: 2026-03-31T17:16:30.680

Link: CVE-2026-24154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:55Z

Weaknesses