\n<\/p>\n
Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services.<\/p>\n
The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed **NVIDIAScape** by Google-owned cloud security company Wiz.<\/p>\n
“NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions,” NVIDIA said in an advisory for the bug.<\/p>\n
<\/p>\n
“A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service.”<\/p>\n
The shortcoming impacts all versions of NVIDIA Container Toolkit up to and including 1.17.7 and NVIDIA GPU Operator up to and including 25.3.0. It has been addressed by the GPU maker in versions 1.17.8 and 25.3.1, respectively.<\/p>\n
The NVIDIA Container Toolkit refers to a collection of libraries and utilities that enable users to build and run GPU-accelerated Docker containers. The NVIDIA GPU Operator is designed to deploy these containers automatically on GPU nodes in a Kubernetes cluster.<\/p>\n
Wiz, which shared details of the flaw in a Thursday analysis, said the shortcoming affects 37% of cloud environments, allowing an attacker to potentially access, steal, or manipulate the sensitive data and proprietary models of all other customers running on the same shared hardware by means of a three-line exploit.<\/p>\n
The vulnerability stems from a misconfiguration in how the toolkit handles the Open Container Initiative (OCI) hook “createContainer.” A successful exploit for CVE-2025-23266 can result in a complete takeover of the server. Wiz also characterized the flaw as “incredibly” easy to weaponize.<\/p>\n
“By setting LD_PRELOAD in their Dockerfile, an attacker could instruct the nvidia-ctk hook to load a malicious library,” Wiz researchers Nir Ohfeld and Shir Tamari added. <\/p>\n
“Making matters worse, the createContainer hook executes with its working directory set to the container’s root filesystem. This means the malicious library can be loaded directly from the container image with a simple path, completing the exploit chain.”<\/p>\n
<\/p>\n
All of this can be achieved with a “stunningly simple three-line Dockerfile” that loads the attacker’s shared object file into a privileged process, resulting in a container escape.<\/p>\n
The disclosure comes a couple of months after Wiz detailed a bypass for another vulnerability in NVIDIA Container Toolkit (CVE-2024-0132, CVSS score: 9.0 and CVE-2025-23359, CVSS score: 8.3) that could have been abused to achieve complete host takeover.<\/p>\n
“While the hype around AI security risks tends to focus on futuristic, AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize,” Wiz said.<\/p>\n
“Additionally, this research highlights, not for the first time, that containers are not a strong security barrier and should not be relied upon as the sole means of isolation. When designing applications, especially for multi-tenant environments, one should always ‘assume a vulnerability’ and implement at least one strong isolation barrier, such as virtualization.”<\/p>\n
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services Update ID THN:CE811C955FB4C50C2602807329431337 Type thn Published 2025-07-18T10:59:00…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,86,12,13,7,11,43,5],"class_list":["post-8319","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-90","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8319\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services Update ID THN:CE811C955FB4C50C2602807329431337 Type thn Published 2025-07-18T10:59:00...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8319\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-18T06:33:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services\",\"datePublished\":\"2025-07-18T06:33:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319\"},\"wordCount\":615,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.0\",\"exploit\",\"news\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8319#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319\",\"name\":\"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-18T06:33:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8319\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8319#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8319","og_locale":"en_US","og_type":"article","og_title":"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem","og_description":"Security Update News Update Information Title Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services Update ID THN:CE811C955FB4C50C2602807329431337 Type thn Published 2025-07-18T10:59:00...","og_url":"https:\/\/zero.redgem.net\/?p=8319","og_site_name":"zero redgem","article_published_time":"2025-07-18T06:33:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8319#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8319"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services","datePublished":"2025-07-18T06:33:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8319"},"wordCount":615,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.0","exploit","news","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8319#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8319","url":"https:\/\/zero.redgem.net\/?p=8319","name":"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-18T06:33:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8319#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8319"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8319#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8319"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8319\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}