Wiz Research has disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit, dubbed NVIDIAScape, that poses a significant threat to the security of AI cloud services worldwide.
The flaw, tracked as CVE-2025-23266 with a CVSS score of 9.0, enables malicious containers to bypass isolation measures and gain full root access to host machines through a remarkably simple three-line exploit.
The vulnerability affects all versions of the NVIDIA Container Toolkit up to v1.17.7 and NVIDIA GPU Operator versions up to 25.3.1, creating systemic risk across the AI ecosystem.
Since the toolkit powers GPU access for major cloud providers’ managed AI services, the flaw could allow malicious customers to escape container boundaries and access sensitive data from other customers sharing the same hardware infrastructure.
The exploit leverages a subtle misconfiguration in how the toolkit handles Open Container Initiative (OCI) hooks.
When containers are launched with the NVIDIA runtime, the toolkit registers createContainer hooks that inherit environment variables from the container image.
This inheritance mechanism becomes the attack vector when combined with the Linux LD_PRELOAD environment variable.
The weaponization is stunningly simple. Attackers need only create a malicious Dockerfile containing three lines: a base image, an LD_PRELOAD environment variable pointing to a malicious shared library, and the library file itself.
When executed, the nvidia-ctk hook process loads the attacker’s library with privileged access, instantly achieving container escape.
NVIDIA has released patches addressing the vulnerability, with the primary recommendation being to upgrade to the latest toolkit version immediately.
For systems that cannot be immediately updated, NVIDIA provides temporary mitigations, including disabling the enable-cuda-compat hook by setting the disable-cuda-compat-lib-hook flag to true in the configuration.
The vulnerability disclosure follows a responsible timeline, with Wiz Research initially reporting the flaw to NVIDIA on May 17, 2025, during the Pwn2Own Berlin event.
NVIDIA published its security bulletin and assigned the CVE on July 15, 2025.
This marks the second major container escape vulnerability that Wiz Research has discovered in NVIDIA’s toolkit, following CVE-2024-0132, which was disclosed last year.
The recurrence highlights ongoing security challenges in AI infrastructure as organizations rapidly adopt GPU-accelerated services.
Security experts emphasize that this vulnerability underscores the limitations of container isolation and the critical importance of implementing additional security barriers, particularly in multi-tenant AI environments where customer data separation is paramount.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…