Cyber Resilience

CVE-2026-24218

High

Published: 20 May 2026

Published
20 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 43.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24218 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Nvidia Dgx Os. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables…

more

host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Shared SSH host keys from image cloning directly enable host impersonation and adversary-in-the-middle attacks as stated in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30234Shared CWE-321
CVE-2025-30095Shared CWE-321
CVE-2025-33179Same vendor: Nvidia
CVE-2025-33248Same vendor: Nvidia
CVE-2026-24237Same vendor: Nvidia
CVE-2025-33223Same vendor: Nvidia
CVE-2025-33239Same vendor: Nvidia
CVE-2025-33245Same vendor: Nvidia
CVE-2025-33241Same vendor: Nvidia
CVE-2026-24165Same vendor: Nvidia

Affected Assets

nvidia
dgx os
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-321

Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.

addresses: CWE-321

Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.

addresses: CWE-321

Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.

addresses: CWE-321

Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.

addresses: CWE-321

Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys.

References