NVIDIA DGX OS SSH Host Key Duplication Vulnerability
CVE-2026-24218 Published on May 20, 2026

NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.

NVD

Vulnerability Analysis

CVE-2026-24218 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Affected Versions

NVIDIA DGX Spark:

Before OTA0 is affected.

Exploit Probability

EPSS

0.03%

Percentile

9.26%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

NVIDIA DGX OS SSH Host Key Duplication VulnerabilityCVE-2026-24218 Published on May 20, 2026

Vulnerability Analysis

Weakness Type

Use of Hard-coded Cryptographic Key

Affected Versions

Exploit Probability

NVIDIA DGX OS SSH Host Key Duplication Vulnerability
CVE-2026-24218 Published on May 20, 2026