CVE-2026-24218
Undergoing Analysis Undergoing Analysis - In Progress
NVIDIA DGX OS SSH Host Key Cloning Vulnerability

Publication date: 2026-05-20

Last updated on: 2026-05-22

Assigner: NVIDIA Corporation

Description
NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-22
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-24218
EUVD
EUVD-2026-31142
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nvidia dgx_os *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in NVIDIA DGX OS involves the deployment of identical SSH host keys across multiple systems, enabling host impersonation or man-in-the-middle attacks. Such security weaknesses can lead to unauthorized access, data tampering, information disclosure, and privilege escalation.

These impacts could potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data and secure system access controls. Specifically, the risk of information disclosure and unauthorized access may violate requirements for data confidentiality and integrity under these regulations.

However, the provided context and resources do not explicitly discuss or confirm the direct effects of this vulnerability on compliance with GDPR, HIPAA, or other standards.

Detection Guidance

This vulnerability involves identical SSH host keys being deployed across multiple systems due to cloning of a base image during factory provisioning.

To detect this issue on your network or system, you can check for duplicate SSH host keys by comparing the SSH host key fingerprints across your systems.

  • On each system, run: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub (or the relevant host key file) to get the fingerprint.
  • Compare the fingerprints from different systems; identical fingerprints indicate the vulnerability.

Detecting identical SSH host keys helps identify systems affected by this vulnerability.

Mitigation Strategies

The vulnerability arises from cloned systems sharing identical SSH host keys, enabling impersonation and man-in-the-middle attacks.

Immediate mitigation steps include regenerating unique SSH host keys on each affected system to ensure cryptographic identifiers are distinct.

  • On each system, regenerate SSH host keys using commands like: sudo ssh-keygen -A
  • Restart the SSH service after regenerating keys to apply changes.

Additionally, review and update the provisioning process to avoid cloning identical keys in the future.

Executive Summary

This vulnerability exists in NVIDIA DGX OS's factory provisioning process, where cloning a base image causes identical SSH host keys to be deployed across multiple systems.

Because these cryptographic identifiers are shared among all similarly provisioned systems, it enables attackers to impersonate hosts or perform man-in-the-middle attacks.

Impact Analysis

Exploitation of this vulnerability can lead to several serious impacts including code execution, data tampering, escalation of privileges, information disclosure, and denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart