Description
NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.
Published: 2026-03-31
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Immediate Patch
AI Analysis

Impact

A malicious actor who can physically access an NVIDIA Jetson board can modify the boot initrd, causing the kernel to parse forged command line arguments. The initrd processes these arguments without proper validation, which allows arbitrary commands to run during the early boot stage. When successful, the attacker can execute code with elevated privileges, disrupt services, alter stored data, or exfiltrate confidential information.

Affected Systems

The flaw appears in NVIDIA Jetson devices from the Xavier, Orin, and Thor families. All variants listed in the CPE entries—including the 32 GB and 64 GB models, developer and industrial editions, Orin Nano, Orin NX, as well as the T4000 and T5000 workstations—are susceptible. Jetson Linux distributions up to version 38.2 are also affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6, indicating high severity. The EPSS score is below 1 %, suggesting that exploitation is not widespread yet, but the requirement of physical presence means a determined adversary can trigger the attack if they can reach the device. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog, implying that no publicly documented exploits have yet been found, but the potential impact warrants prompt remediation.

Generated by OpenCVE AI on April 3, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Jetson Linux firmware or kernel updates that address initrd parsing.
  • If no update exists, limit the initrd’s exposure by removing nonessential modules or restricting the arguments that can be parsed during boot.
  • Physically secure the device and enforce secure boot to block unauthorized modifications to boot components.
  • Verify the integrity of the initrd file with checksums or digital signatures before each startup.
  • Monitor system logs for unexpected initrd activity or error messages that could indicate an attempt to inject commands.

Generated by OpenCVE AI on April 3, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Physical Access Exploit Allows Unauthorized Command Injection in NVIDIA Jetson Initrd

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia jetson Agx Orin 32gb
Nvidia jetson Agx Orin 64gb
Nvidia jetson Agx Orin Developer Kit
Nvidia jetson Agx Orin Industrial
Nvidia jetson Agx Thor Developer Kit
Nvidia jetson Agx Xavier 32gb
Nvidia jetson Agx Xavier 64gb
Nvidia jetson Agx Xavier Industrial
Nvidia jetson Linux
Nvidia jetson Orin Nano 4gb
Nvidia jetson Orin Nano 8gb
Nvidia jetson Orin Nano Super Developer Kit
Nvidia jetson Orin Nx 16gb
Nvidia jetson Orin Nx 8gb
Nvidia jetson T4000
Nvidia jetson T5000
Nvidia jetson Xavier Nx 16gb
Nvidia jetson Xavier Nx 8gb
CPEs cpe:2.3:h:nvidia:jetson_agx_orin_32gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_64gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_developer_kit:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_orin_industrial:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_thor_developer_kit:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_32gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_64gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_agx_xavier_industrial:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_4gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_8gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nano_super_developer_kit:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nx_16gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_orin_nx_8gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_t4000:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_t5000:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_xavier_nx_16gb:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:jetson_xavier_nx_8gb:-:*:*:*:*:*:*:*
cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*
cpe:2.3:o:nvidia:jetson_linux:38.2:*:*:*:*:*:*:*
Vendors & Products Nvidia jetson Agx Orin 32gb
Nvidia jetson Agx Orin 64gb
Nvidia jetson Agx Orin Developer Kit
Nvidia jetson Agx Orin Industrial
Nvidia jetson Agx Thor Developer Kit
Nvidia jetson Agx Xavier 32gb
Nvidia jetson Agx Xavier 64gb
Nvidia jetson Agx Xavier Industrial
Nvidia jetson Linux
Nvidia jetson Orin Nano 4gb
Nvidia jetson Orin Nano 8gb
Nvidia jetson Orin Nano Super Developer Kit
Nvidia jetson Orin Nx 16gb
Nvidia jetson Orin Nx 8gb
Nvidia jetson T4000
Nvidia jetson T5000
Nvidia jetson Xavier Nx 16gb
Nvidia jetson Xavier Nx 8gb

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Physical Access Exploit Allows Unauthorized Command Injection in NVIDIA Jetson Initrd
First Time appeared Nvidia
Nvidia jetson Orin Series
Nvidia jetson Thor
Nvidia jetson Xavier Series
Vendors & Products Nvidia
Nvidia jetson Orin Series
Nvidia jetson Thor
Nvidia jetson Xavier Series

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nvidia Jetson Agx Orin 32gb Jetson Agx Orin 64gb Jetson Agx Orin Developer Kit Jetson Agx Orin Industrial Jetson Agx Thor Developer Kit Jetson Agx Xavier 32gb Jetson Agx Xavier 64gb Jetson Agx Xavier Industrial Jetson Linux Jetson Orin Nano 4gb Jetson Orin Nano 8gb Jetson Orin Nano Super Developer Kit Jetson Orin Nx 16gb Jetson Orin Nx 8gb Jetson Orin Series Jetson T4000 Jetson T5000 Jetson Thor Jetson Xavier Nx 16gb Jetson Xavier Nx 8gb Jetson Xavier Series
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-03-31T17:46:32.434Z

Reserved: 2026-01-21T19:09:29.850Z

Link: CVE-2026-24154

cve-icon Vulnrichment

Updated: 2026-03-31T17:46:27.806Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T17:16:30.680

Modified: 2026-04-03T19:04:33.083

Link: CVE-2026-24154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:55Z

Weaknesses