CVE-2026-24154
Command Injection in NVIDIA Jetson Linux initrd Enables Privilege Escalation
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | jetson_linux | to 35.6.4 (exc) |
| nvidia | jetson_linux | From 36.0 (inc) to 36.5 (exc) |
| nvidia | jetson_linux | 38.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24154 is a vulnerability in NVIDIA Jetson Linux related to the initial ramdisk (initrd).
It allows an unprivileged attacker with physical access to inject incorrect command line arguments during system initialization.
This vulnerability is classified as an OS Command Injection (CWE-78), meaning special elements used in OS commands are not properly neutralized.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to severe consequences including code execution, escalation of privileges, denial of service, data tampering, and information disclosure.
The vulnerability has a high impact on confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NVIDIA Jetson Linux allows an unprivileged attacker with physical access to execute code, escalate privileges, cause denial of service, tamper with data, and disclose information. Such impacts on confidentiality, integrity, and availability could potentially lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, the provided information does not explicitly mention or analyze the direct effects of this vulnerability on compliance with specific standards or regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker with physical access injecting incorrect command line arguments into the initrd during system initialization on NVIDIA Jetson Linux.
Detection would require physical inspection or verification of the initrd command line arguments and system boot parameters for unauthorized modifications.
No specific detection commands or network-based detection methods are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability requires physical access to the device, so immediate mitigation steps include restricting physical access to the affected NVIDIA Jetson Linux systems.
Additionally, monitoring and verifying the integrity of the initrd and boot command line arguments can help prevent exploitation.
No specific patches, configuration changes, or commands to mitigate this vulnerability are detailed in the provided information.