CVE-2026-24148 is a vulnerability classified under CWE-1188, indicating the initialization of a resource with an insecure default configuration in NVIDIA Jetson Xavier and Orin Series devices running JetPack versions prior to 35.6.4. The flaw exists in the system initialization logic, where an unprivileged attacker can influence the initialization process to set a resource to an insecure default state. This misconfiguration can be exploited to disclose encrypted data, tamper with data integrity, and cause partial denial of service conditions affecting devices that share the same machine ID. The vulnerability has a CVSS 3.1 base score of 8.3, reflecting high severity due to its network attack vector (AV:N), low attack complexity (AC:L), and the requirement for privileges (PR:L) but no user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality (C:H) and integrity (I:H) is high, with a low impact on availability (A:L). The vulnerability affects a broad range of Jetson devices widely used in AI, robotics, and edge computing, where secure initialization is critical for protecting sensitive data and system integrity. No public exploits have been reported yet, but the potential for serious compromise exists if exploited. The lack of patch links suggests that users should monitor NVIDIA advisories closely for updates.

The vulnerability poses a significant risk to organizations deploying NVIDIA Jetson Xavier and Orin Series devices, especially in environments where these devices handle sensitive or encrypted data. Successful exploitation can lead to unauthorized disclosure of encrypted information, undermining confidentiality. Data tampering can compromise the integrity of operations, potentially causing erroneous AI or robotic behaviors. Partial denial of service could disrupt critical edge computing or industrial automation processes. Since the flaw affects devices sharing the same machine ID, multi-tenant or clustered deployments could experience cascading impacts. The requirement for low privileges and network access means attackers with limited access could leverage this vulnerability, increasing the attack surface. Industries such as manufacturing, autonomous vehicles, healthcare, and defense that rely on Jetson platforms for AI inference and control systems are particularly vulnerable. The potential for data breaches and operational disruption could lead to financial losses, reputational damage, and safety risks.

Organizations should immediately verify the JetPack version running on their NVIDIA Jetson Xavier and Orin devices and plan to upgrade to version 35.6.4 or later once available. Until patches are deployed, restrict network access to Jetson devices to trusted sources only, employing network segmentation and firewall rules to limit exposure. Implement strict access controls to prevent unprivileged users from interacting with system initialization processes or sensitive resources. Monitor device logs and network traffic for unusual activity that could indicate exploitation attempts. Employ encryption and integrity verification mechanisms at higher layers to mitigate potential data tampering. Engage with NVIDIA support channels to obtain official patches or workarounds and stay informed about updates. For multi-tenant environments, isolate devices by machine ID to prevent cross-device impact. Conduct security audits focusing on initialization configurations and resource defaults to identify and remediate insecure settings proactively.