Description
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
Published: 2026-04-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Data Tampering
Action: Assess
AI Analysis

Impact

NVIDIA KAI Scheduler allows an attacker to reference pods across namespaces without sufficient authorization checks, potentially enabling unauthorized modification of pod data. The vulnerability is classified under CWE-863, which denotes improper authorization. A successful exploitation could allow a malicious actor to tamper with data in cross‑namespace pod interactions, threatening data integrity within the affected system.

Affected Systems

The affected product is NVIDIA KAI Scheduler. No specific version information is supplied, so all builds or releases of this scheduler are considered potentially susceptible until vendor guidance is provided.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score is not available, suggesting limited public awareness of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known weaponized exploits at the time of this analysis. Likely attack vector requires internal cluster access or privileged interaction with the scheduler API; an attacker would need to craft pod references that span namespaces. The risk remains primarily to data integrity rather than availability or confidentiality.

Generated by OpenCVE AI on April 22, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NVIDIA KAI Scheduler to the latest patched version once available from NVIDIA.
  • Apply tight Kubernetes RBAC controls that restrict pod creation and reference permissions across namespaces.
  • Audit and monitor pod communication patterns for anomalous cross‑namespace interactions.

Generated by OpenCVE AI on April 22, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia kai Scheduler
Vendors & Products Nvidia
Nvidia kai Scheduler

Wed, 22 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Improper Authorization Enabling Data Tampering via Cross‑Namespace Pod References in NVIDIA KAI Scheduler

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nvidia Kai Scheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-04-21T16:43:30.471Z

Reserved: 2026-01-21T19:09:31.778Z

Link: CVE-2026-24176

cve-icon Vulnrichment

Updated: 2026-04-21T16:43:26.357Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T17:16:23.603

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-24176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:16Z

Weaknesses