CVE-2026-24154

High

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 10.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24154 is a high-severity OS Command Injection (CWE-78) vulnerability in Nvidia Jetson Linux. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection vulnerability in NVIDIA Jetson Linux initrd by applying vendor-provided patches and updates.

PE-3 Physical Access Control good match

prevent

Prevents unauthorized physical access required for an unprivileged attacker to inject incorrect command line arguments during the boot process.

SI-10 Information Input Validation good match

prevent

Enforces validation of command line arguments as external inputs to initrd, directly mitigating the CWE-78 OS command injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1542 Pre-OS Boot Stealth

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.

attack.mitre.org →

Why these techniques?

OS command injection during boot with physical access directly enables boot process manipulation (T1542 Pre-OS Boot) and privilege escalation via vulnerability exploitation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and…

information disclosure.

Deeper analysisAI

CVE-2026-24154 is a vulnerability in the initrd component of NVIDIA Jetson Linux, stemming from CWE-78 (OS Command Injection). It allows an unprivileged attacker with physical access to inject incorrect command line arguments during the boot process. The issue received a CVSS v3.1 base score of 7.6 (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-31.

An unprivileged attacker with physical access to the device can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation may result in arbitrary code execution, privilege escalation, denial of service, data tampering, or information disclosure, potentially compromising the entire system due to the changed scope.

Mitigation details are available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5797, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-24154, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24154. Security practitioners should consult these resources for patch information and recommended remediation steps.

Details

CWE(s): CWE-78

Affected Products

nvidia

jetson linux

38.2 · ≤ 35.6.4 · 36.0 — 36.5

CVEs Like This One

CVE-2026-24148Same product: Nvidia Jetson Agx Orin 32Gb

CVE-2025-33228Same vendor: Nvidia

CVE-2025-33230Same vendor: Nvidia

CVE-2025-33179Same vendor: Nvidia

CVE-2026-24157Same vendor: Nvidia

CVE-2025-33240Same vendor: Nvidia

CVE-2026-24159Same vendor: Nvidia

CVE-2025-33180Same vendor: Nvidia

CVE-2025-33241Same vendor: Nvidia

CVE-2025-33239Same vendor: Nvidia

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24154
Third Party Advisory, US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5797
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2026-24154
Third Party Advisory · psirt@nvidia.com