Monthly Archives: April 2026

AI and ML, Potential Risk of CVE

CVE-2026-24148, CVE-2026-24154 and CVE-2026-24153: About NVIDIA Jetson (2nd-April-2026)

Leave a comment

Preface: NVIDIA JetPack and Jetson Linux (formerly L4T – Linux for Tegra) are the foundational software stacks for NVIDIA Jetson AI modules. Jetson Linux provides the essential BSP (bootloader, Linux kernel, Ubuntu rootfs, drivers), while JetPack SDK bundles this with developer tools, libraries (CUDA, TensorRT), and APIs for AI, computer vision, and robotics.

Background: The initrd and root file system (rootfs) unencrypted creates a significant security gap against local physical attacks. In a standard industrial or autonomous deployment, physical access is often the most direct threat to a machine’s integrity.

The Security Gap: Local Physical Access

When a Jetson device is left with its default, unencrypted configuration, an attacker with physical access can easily bypass system protections:

Because the bootloader cannot read encrypted files directly, it must first mount an unencrypted partition containing the kernel and initrd images. Without signing or encryption, these critical files can be replaced via a malicious USB or NVMe drive.

Ref: nvluks-srv-app is a NVIDIA Jetson Linux user-space application used to retrieve a unique, secure passphrase from the Trusted Execution Environment (TEE) to unlock encrypted partitions at boot time. It enables disk encryption on Jetson devices by facilitating secure communication between the normal operating system and the hardware-backed security services (OP-TEE).

Vulnerability details:

CVE-2026-24154 NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access could inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure.

CVE-2026-24148 NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.

CVE-2026-24153 NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted application is not disabled. A successful exploit of this vulnerability might lead to information disclosure.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5797