NVIDIA DGX OS Vulnerability in Factory Provisioning Process Leads to Security Risks
CVE-2026-24218

8.1HIGH

Key Information:

Vendor: Nvidia
Status: Dgx Spark
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-24218?

The NVIDIA DGX OS suffers from a vulnerability in its factory provisioning process, where the cloning of a base image leads to multiple systems sharing the same SSH host keys. This shared cryptographic identifier poses a significant security risk as it allows for host impersonation and potential man-in-the-middle attacks. Exploiting this vulnerability can lead to unauthorized code execution, data manipulation, privilege escalation, information disclosure, and even denial of service, highlighting the urgent need for security measures in provisioning processes.

Affected Version(s)

DGX Spark NVIDIA DGX OS 0

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24218

https://www.cve.org/CVERecord?id=CVE-2026-24218

https://nvidia.custhelp.com/app/answers/detail/a_id/5835

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Jan 21, 2026

CVE-2026-24218 Data

JSON

Nvidia

What is CVE-2026-24218?

Affected Version(s)

References

CVSS V3.1

Timeline