Cybersecurity researchers have disclosed a important container escape vulnerability within the NVIDIA Container Toolkit that would pose a extreme menace to managed AI cloud providers.
The vulnerability, tracked as CVE-2025-23266, carries a CVSS rating of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud safety firm Wiz.
“NVIDIA Container Toolkit for all platforms incorporates a vulnerability in some hooks used to initialize the container, the place an attacker may execute arbitrary code with elevated permissions,” NVIDIA mentioned in an advisory for the bug.
“A profitable exploit of this vulnerability would possibly result in escalation of privileges, information tampering, info disclosure, and denial-of-service.”
The shortcoming impacts all variations of NVIDIA Container Toolkit as much as and together with 1.17.7 and NVIDIA GPU Operator as much as and together with 25.3.0. It has been addressed by the GPU maker in variations 1.17.8 and 25.3.1, respectively.
The NVIDIA Container Toolkit refers to a set of libraries and utilities that allow customers to construct and run GPU-accelerated Docker containers. The NVIDIA GPU Operator is designed to deploy these containers mechanically on GPU nodes in a Kubernetes cluster.
Wiz, which shared particulars of the flaw in a Thursday evaluation, mentioned the shortcoming impacts 37% of cloud environments, permitting an attacker to doubtlessly entry, steal, or manipulate the delicate information and proprietary fashions of all different prospects operating on the identical shared {hardware} by way of a three-line exploit.
The vulnerability stems from a misconfiguration in how the toolkit handles the Open Container Initiative (OCI) hook “createContainer.” A profitable exploit for CVE-2025-23266 can lead to an entire takeover of the server. Wiz additionally characterised the flaw as “extremely” straightforward to weaponize.
“By setting LD_PRELOAD of their Dockerfile, an attacker may instruct the nvidia-ctk hook to load a malicious library,” Wiz researchers Nir Ohfeld and Shir Tamari added.
“Making issues worse, the createContainer hook executes with its working listing set to the container’s root filesystem. This implies the malicious library will be loaded straight from the container picture with a easy path, finishing the exploit chain.”
All of this may be achieved with a “stunningly easy three-line Dockerfile” that hundreds the attacker’s shared object file right into a privileged course of, leading to a container escape.
The disclosure comes a few months after Wiz detailed a bypass for one more vulnerability in NVIDIA Container Toolkit (CVE-2024-0132, CVSS rating: 9.0 and CVE-2025-23359, CVSS rating: 8.3) that would have been abused to realize full host takeover.
“Whereas the hype round AI safety dangers tends to give attention to futuristic, AI-based assaults, ‘old-school’ infrastructure vulnerabilities within the ever-growing AI tech stack stay the instant menace that safety groups ought to prioritize,” Wiz mentioned.
“Moreover, this analysis highlights, not for the primary time, that containers usually are not a powerful safety barrier and shouldn’t be relied upon as the only technique of isolation. When designing functions, particularly for multi-tenant environments, one ought to all the time ‘assume a vulnerability’ and implement at the least one robust isolation barrier, comparable to virtualization.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s tendencies right this moment: learn extra, subscribe to our publication, and turn into a part of the NextTech neighborhood at NextTech-news.com
