Critical Vulnerability in NVIDIA Container Toolkit Exposes Host Systems, Patches Released After Exploit Bypass
A high-severity vulnerability (CVE-2025-23359) in NVIDIA's Container Toolkit allows attackers to bypass container isolation and gain unauthorized access to the host system, potentially leading to code execution and privilege escalation. Although NVIDIA released patches to fix the issue, researchers uncovered a new exploit method. Users are advised to update to the latest versions of the toolkit and GPU Operator to mitigate risks, while also being cautious of configuration changes that could disrupt applications.
New NVIDIA Container Toolkit Vulnerability Exposed, Patch Released After Bypass Found
NVIDIA has recently released critical security patches for its Container Toolkit and GPU Operator following the discovery of a high-severity vulnerability (CVE-2025-23359). This vulnerability could potentially allow attackers to bypass container isolation protections, gaining full access to the underlying host system.
Details of the Vulnerability
The flaw, tracked as CVE-2025-23359, affects NVIDIA Container Toolkit versions up to 1.17.3 and NVIDIA GPU Operator versions up to 24.9.1. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) issue, where a crafted container image could allow attackers to gain unauthorized access to the host file system. This could lead to several severe outcomes, including code execution, privilege escalation, information disclosure, data tampering, and system crashes.
The vulnerability has a CVSS score of 8.3, classified as high severity, underlining the critical need for organizations to patch their systems promptly.
The Discovery of a Bypass
Just days after the initial patch, cybersecurity researchers uncovered a method to bypass the security fixes. Researchers from Wiz Security discovered that malicious actors could still exploit the vulnerability to mount the host's root file system into a container. This gives attackers unfettered access to critical files and allows them to spawn privileged containers, leading to a complete compromise of the host system.
The bypass works by manipulating symbolic links and leveraging Unix sockets to escalate privileges. Despite the access being initially read-only, attackers could bypass this limitation to gain unrestricted access, monitor network traffic, and debug active processes.
The Fix and Its Impact
In response, NVIDIA has released updated versions of both the Container Toolkit (version 1.17.4) and GPU Operator (version 24.9.2). These updates close the vulnerability but also alter the default behavior of the NVIDIA Container Toolkit, affecting how CUDA compatibility libraries are mounted in containers. While this change improves security, it may impact some applications dependent on the previous behavior.
Users who require the legacy setup can opt-in to the previous behavior using a feature flag (allow-cuda-compat-libs-from-container), but NVIDIA strongly advises against using it, as it reintroduces the vulnerability.
Key Recommendations:
- Users should update to the latest versions (1.17.4 and 24.9.2) as soon as possible.
- Avoid disabling the “--no-cntlibs” flag in production environments.
- If CUDA Forward Compatibility is needed, users can set the
LD_LIBRARY_PATHto include/usr/local/cuda/compat, but this may cause portability issues across different driver versions.
Acknowledgments and Future Updates
The vulnerability was initially reported by researchers from Wiz Security (Andres Riancho, Ronen Shustin, and Shir Tamari), along with Lei Wang, who independently identified the issue. NVIDIA is continuing to monitor the situation and encourages users to subscribe to their security bulletins for the latest information and updates.
As threats like these evolve, it remains essential for organizations to promptly address vulnerabilities through regular updates and proactive security management.
