Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container’s isolation protections and gain complete access to the underlying host.
The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions –
- NVIDIA Container Toolkit (All versions up to and including 1.17.3) – Fixed in version 1.17.4
- NVIDIA GPU Operator (All versions up to and including 24.9.1) – Fixed in version 24.9.2
“NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system,” the company said in an advisory on Tuesday.
“A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.”
Cloud security firm Wiz, which shared additional technical specifics of the flaw, said it’s a bypass for another vulnerability (CVE-2024-0132, CVSS score: 9.0) that was addressed by NVIDIA in September 2024.
In a nutshell, the vulnerability enables bad actors to mount the host’s root file system into a container, granting them unfettered access to all files. Furthermore, the access can be leveraged to launch privileged containers and achieve full host compromise via the runtime Unix socket.
Wiz researchers security researchers Shir Tamari, Ronen Shustin, and Andres Riancho said their source code analysis of the container toolkit found that the file paths used during mount operations could be manipulated using a symbolic link such that it makes it possible to mount from outside the container (i.e., the root directory) into a path within “/usr/lib64.”
While the access to the host file system afforded by the container escape is read-only, this limitation can be circumvented by interacting with the Unix sockets to spawn new privileged containers and gain unrestricted access to the file system.
“This elevated level of access also allowed us to monitor network traffic, debug active processes, and perform a range of other host-level operations,” the researchers said.
Besides updating to the latest version, users of the NVIDIA Container Toolkit are recommended to not disable the “–no-cntlibs” flag in production environments.
