{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24176", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:31.778Z", "datePublished": "2026-04-21T16:17:00.601Z", "dateUpdated": "2026-04-21T16:43:30.471Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-21T16:17:00.601Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Data Tampering"}]}], "affected": [{"vendor": "NVIDIA", "product": "KAI Scheduler", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "All versions prior to 0.13.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24176"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24176"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:43:17.122250Z", "id": "CVE-2026-24176", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:43:30.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24176", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T16:43:17.122250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:43:26.357Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Data Tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "KAI Scheduler", "versions": [{"status": "affected", "version": "All versions prior to 0.13.0"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24176"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24176"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-21T16:17:00.601Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24176", "state": "PUBLISHED", "dateUpdated": "2026-04-21T16:43:30.471Z", "dateReserved": "2026-01-21T19:09:31.778Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-04-21T16:17:00.601Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering."}], "id": "CVE-2026-24176", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:23.603", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24176"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24176"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KAI Scheduler", "source": "cna", "vendor": "NVIDIA"}, "product": "kai_scheduler", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-04-22T03:03:48.317997+00:00", "value": {"mitigation_remediation": ["Update NVIDIA KAI Scheduler to the latest patched version once available from NVIDIA.", "Apply tight Kubernetes RBAC controls that restrict pod creation and reference permissions across namespaces.", "Audit and monitor pod communication patterns for anomalous cross\u2011namespace interactions."], "summary": {"action": "Assess", "impact": "Potential Data Tampering"}, "threat_synthesis": {"affected_systems": "The affected product is NVIDIA KAI Scheduler. No specific version information is supplied, so all builds or releases of this scheduler are considered potentially susceptible until vendor guidance is provided.", "description_and_impact": "NVIDIA KAI Scheduler allows an attacker to reference pods across namespaces without sufficient authorization checks, potentially enabling unauthorized modification of pod data. The vulnerability is classified under CWE-863, which denotes improper authorization. A successful exploitation could allow a malicious actor to tamper with data in cross\u2011namespace pod interactions, threatening data integrity within the affected system.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score is not available, suggesting limited public awareness of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known weaponized exploits at the time of this analysis. Likely attack vector requires internal cluster access or privileged interaction with the scheduler API; an attacker would need to craft pod references that span namespaces. The risk remains primarily to data integrity rather than availability or confidentiality."}}}}, "created": "2026-04-22T03:15:06.407296+00:00", "title": "Improper Authorization Enabling Data Tampering via Cross\u2011Namespace Pod References in NVIDIA KAI Scheduler", "updated": "2026-04-22T11:46:16.428072+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$kai_scheduler"]}