Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break-out of a container’s isolation protections & gain complete access to the underlying host.
CVSS score: 8.3
The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions –
- NVIDIA Container Toolkit (All versions up to & including 1.17.3) – Fixed in version 1.17.4
- NVIDIA GPU Operator (All versions up to & including 24.9.1) – Fixed in version 24.9.2
Time-of-Check Time-of-Use
“NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system,” the company commented in a Tues. advisory.
“A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, & data tampering.”
Cloud security firm Wiz, which shared additional technical details of the flaw, explained that it’s a bypass for another vulnerability (CVE-2024-0132, CVSS score: 9.0) that was addressed by NVIDIA in Sept. 2024.
Root File System
The vulnerability enables bad players to mount the host’s root file system into a container, granting them unfettered access to all files. Furthermore, the access can be used to launch privileged containers & achieve full host compromise via the runtime Unix socket.
Wiz researchers’ security researchers Shir Tamari, Ronen Shustin, & Andres Riancho stated that their source code analysis of the container toolkit found that the file paths used during mount operations could be manipulated using a symbolic link such that it makes it possible to mount from outside the container (i.e., the root directory) into a path within “/usr/lib64.”
Unix Sockets
While the access to the host file system afforded by the container escape is read-only, this limitation can be circumvented by interacting with the Unix sockets to spawn new privileged containers & gain unrestricted access to the file system.
“This elevated level of access also allowed us to monitor network traffic, debug active processes, & perform a range of other host-level operations,” the researchers observed.
Besides updating to the latest version, users of the NVIDIA Container Toolkit are recommended to not disable the “–no-cntlibs” flag in production environments.
