CVE-2026-24154 and CVE-2026-24153 expose trust sequencing failures across millions of edge AI, robotics, and industrial devices. Full research now public. Live masterclass on Secure Boot bypass methodology open for registration.
Amichai Yifrach, known in the security research community as Th3_H1tchH1ker, is a cybersecurity architect with over three decades of hands-on offensive research experience, founder of CYMDALL, and co-founder of TrainSec, the cybersecurity training academy built on the principle that professionals train professionals.
Last week, NVIDIA formally acknowledged two Secure Boot vulnerabilities in the Jetson Orin platform that Yifrach discovered and reported: CVE-2026-24154 (CVSS 7.6, High) and CVE-2026-24153 (CVSS 5.2, Medium). NVIDIA credited th3_h1tchh1ker in their official security bulletin and issued fixes across supported Jetson Linux branches (35.6.4, 36.5, and 38.4).
The full research, a long-form technical essay titled "The Hitchhiker's Guide to Breaking Secure Boot: Jetson Orin CVEs", is now available free on the TrainSec knowledge library.
Read the full research: https://trainsec.net/library/hardware-hacking/the-hitchhikers-guide-to-breaking-secure-boot-jetson-orin-cves/
Who Is Th3_H1tchH1ker?
Amichai Yifrach (Th3_H1tchH1ker) is a cybersecurity architect and researcher specializing in embedded systems, firmware security, and trust-chain analysis. His work spans military, industrial, and commercial environments, including hardware security validation, AI system assurance, and adversarial analysis of system architecture at the firmware and boot layer. He is the founder of CYMDALL, where he is building endpoint security enforcement below the operating system. At TrainSec, he leads the hardware hacking track and teaches practitioners how to move beyond vulnerability hunting and into structured, evidence-driven security reasoning.
The Research: Secure Boot Is Not a Lock
The NVIDIA Jetson Orin is the compute backbone inside millions of edge AI deployments, robotics platforms, autonomous machines, and industrial systems that operate in the physical world: devices that move, decide, sense, and interact with real environments, often at scale, often with some level of physical accessibility.
Yifrach's research shows that the Jetson Orin Secure Boot implementation, while cryptographically sound at stage boundaries, fails to enforce trust consistently through those stages. The result is a development-to-production transition that left recovery logic, debug affordances, and early-boot parameter handling as latent control surfaces in a shipping product.
CVE-2026-24154: Kernel Command Line Fault Injection to Root Shell (CVSS 7.6, High)
A single malformed root filesystem UUID injected on the kernel command line forces the initrd init script into a failure path that spawns `/bin/bash` instead of halting. The system hands an unprivileged attacker a root shell in the early boot environment, bypassing both Secure Boot and full-disk encryption protections.
CVE-2026-24153: Decryption Exposure in Intermediate Shell (CVSS 5.2, Medium)
Once inside that early shell, the decryption routine run by the init script is fully observable. Cryptsetup invocation, key material, and the decrypted root filesystem can be inspected, extracted, and redirected. Encryption is working exactly as designed. The platform has simply been made adversarially observable at the moment it unlocks itself.
Four additional findings show these two CVEs are not isolated bugs but evidence of a systemic pattern: boot parameters that force `systemd` emergency mode on the real rootfs; UART logs that narrate UEFI certificates, filesystem UUIDs, and cryptsetup details over a debug channel; an unauthenticated UEFI Setup interface reachable by pressing ESC at boot; and a UEFI Shell with read-write access to critical partitions before the OS takes control.
"Secure Boot verifies what starts. It does not, by itself, guarantee that the system will behave sanely after verification, during failure, or while unlocking its own secrets. That gap is where this research lived." > Amichai Yifrach
The full writeup reconstructs the initrd trust boundary from terminal evidence alone, provides proof-of-concept injections, and walks through the complete attack chain from boot observation to root shell, key extraction, and filesystem access.
Read the full research: https://trainsec.net/library/hardware-hacking/the-hitchhikers-guide-to-breaking-secure-boot-jetson-orin-cves/
The Live Masterclass: Bypassing the Secure Boot, The Terminal Only Methodology
On May 18, 2026, Amichai will deliver a four-hour live technical masterclass through TrainSec. The session is not about the Jetson Orin CVEs specifically. It teaches the methodology behind them: a structured, repeatable framework for analyzing and bypassing Secure Boot using only terminal access, applicable across platforms, vendors, and bootloaders.
No firmware dumping. No fault injection. No hardware attacks. Just logs, environment analysis, trust boundary mapping, and controlled exploitation, executed live on a purpose-built Ubuntu Secure Boot Challenge VM and generalized to U-Boot, shim, Coreboot, and embedded Linux appliances.
This is Amichai's core hardware hacking course content, delivered live, with hands-on labs and a full end-to-end demonstration from boot evidence to root shell.
What attendees receive:
• Live 4-hour masterclass with Th3_H1tchH1ker
• Secure Boot Trust Mapping Framework (reusable analysis template)
• Terminal Only Secure Boot Assessment Checklist (field-ready workflow)
• Ubuntu Secure Boot Challenge VM (downloadable from TrainSec GitHub)
• Masterclass recording (lifetime access)
• $49 TrainSec course voucher usable on any course in the catalog
Event details:
• Date: Monday, May 18, 2026
• Time: 10:00 AM EDT (14:00 UTC / 16:00 CEST / 17:00 IDT / 22:00 SGT)
• Duration: 4 hours
• Price: $49 per seat (includes $49 course voucher, effectively free credit toward the TrainSec catalog)
• Format: Live online, hands-on lab
Learn more and register: https://trainsec.net/bypassing-secure-boot-live-4h
About TrainSec
TrainSec (trainsec.net) is an online cybersecurity and systems security training academy built on the principle that professionals train professionals. Courses and live events are taught by practitioners with deep hands-on expertise in Windows internals, malware analysis, embedded security, and firmware research. TrainSec's free knowledge library publishes technical research and long-form practitioner writing accessible to the broader security community.
Media Contact: info@trainsec.net | https://trainsec.net
Media Contact
Company Name: Scorpio Software LLC
Contact Person: Mickey Zelansky
Email:Send Email
Phone: 5513464575
Address:95 Newcomb Rd.
City: Tenafly
State: NJ
Country: United States
Website: https://trainsec.net
