.png)
3 months ago
2
A critical NVIDIA Container Toolkit vulnerability could be exploited using a three-line Dockerfile, Wiz revealed Thursday.
The flaw, tracked as CVE-2025-23266 and dubbed “NVIDIAScape” by Wiz, has a CVSS score of 9.0 and risks the exposure of sensitive data, including proprietary AI models, in multi-tenant environments.
An attacker could set up a container image on a vulnerable cloud service and use the three-line exploit and a malicious library to escape the container environment to gain root access to the host.
The NVIDIA Container Toolkit is widely used to enable containerized applications, such as AI applications, to leverage NVIDIA GPUs. Based on an analysis of more than 100,000 public cloud environments, Wiz predicted about 37% of environments could be vulnerable to CVE-2025-23266.
The flaw was discovered by Wiz researchers Nir Ohfeld and Shir Tamari and affects versions of NVIDIA Container Toolkit (NCT) up to and including v1.17.7 (CDI mode only prior to 1.17.5) and NVIDIA GPU Operator versions up to and including 25.3.0 (CDI mode only prior to 25.3.0), according to NVIDIA’s security bulletin published Tuesday.
The vulnerability lies in NCT’s implementation of Open Container Initiative (OCI) hooks, which enable scripts to run at certain points in a container’s lifecycle, such as upon container creation or deletion.
NCT registers the hook createContainer when a container is started with the NVIDIA runtime; createContainer runs the binary nvidia-ctk with root privileges on the host in order to perform the necessary setup for the new container.
Wiz researchers found that this hook inherits environment variables from the container image by default, meaning the creator of a malicious container can control the variables used when this privileged process is run.
The hook’s working directory is also set to the container’s root filesystem, opening the ability to easily introduce attacker-controlled files into the process.
Using the LD_PRELOAD environment variable, the attacker can force nvidia-ctk to load a malicious library, escaping the container and gaining privileged access to the host. The three-line Dockerfile needed to set the LD_PRELOAD variable and point to the malicious library is included in Wiz’s blog post.
NVIDIA recommended updating affected services to the updated versions, NVIDIA Container Toolkit v1.17.8 and NVIDIA GPU Operator v25.3.1. However, the issue can also be mitigated by opting out of the use of enable-cuda-compat hook, with configuration instructions included in NVIDIA’s security bulletin.
Wiz noted that this vulnerability highlights risks to AI security as companies leverage managed AI cloud and GPU services to power their AI tools.
“Additionally, this research highlights, not for the first time, that containers are not a strong security barrier and should not be relied upon as the sole means of isolation,” the researchers wrote. “When designing applications, especially for multi-tenant environments, one should always ‘assume a vulnerability’ and implement at least one strong isolation barrier, such as virtualization (as explained in the PEACH framework).”
Wiz previously discovered a similar NCT container escape flaw, tracked as CVE-2024-0132, last year.
Get essential knowledge and practical strategies to use AI to better your security program.
