NVIDIA Container Toolkit Vulnerabilities Enables Attackers to Run Code with Elevated Privileges

NVIDIA has released critical security updates for its Container Toolkit and GPU Operator following the discovery of two high-severity vulnerabilities that could allow attackers to execute arbitrary code with elevated permissions and cause system disruption.

The vulnerabilities, tracked as CVE-2025-23266 and CVE-2025-23267, affect all versions of the NVIDIA Container Toolkit up to 1.17.7 and GPU Operator up to 25.3.0, prompting immediate action from users across all platforms.

The more severe vulnerability, CVE-2025-23266, has been assigned a critical CVSS score of 9.0 and represents a significant security threat to containerized environments.

This vulnerability exists within certain hooks used to initialize containers, specifically allowing attackers to execute arbitrary code with elevated permissions.

The vulnerability affects all platforms running the NVIDIA Container Toolkit and could lead to complete system compromise.

Security researchers Nir Ohfeld and Shir Tamari, working with Trend Zero Day Initiative, discovered this critical vulnerability that enables privilege escalation, data tampering, information disclosure, and denial of service attacks.

The vulnerability is classified under CWE-426, indicating issues with untrusted search paths that can be exploited by malicious actors.

The attack vector requires adjacent network access with low complexity, making it particularly dangerous in multi-user or cloud environments where containers share infrastructure.

NVIDIA Container Toolkit Vulnerability

• CVE-2025-23267 carries a high CVSS score of 8.5 and affects the update-ldcache hook within the NVIDIA Container Toolkit.
  
• Attack method: Allows attackers to cause link following attacks by using specially crafted container images.
  
• Potential impact: Data tampering and denial of service conditions.
  
• Discovery: Identified by Lei Wang and Min Yao from Nebula Security Lab at Huawei Cloud.
  
• Classification: Categorized under CWE-59 for improper link resolution.
  
• Exploitation characteristics: Can be exploited remotely with low attack complexity, requiring only low-level privileges and no user interaction.
  
• Scope: Affects the same product versions as CVE-2025-23266, emphasizing the widespread nature of these security issues.
  
• Impact limitations: Limited to data integrity and availability rather than confidentiality.
  
• System effects: Successful exploitation could still disrupt containerized workloads and compromise system stability.

Mitigations

NVIDIA has released updated versions to address both vulnerabilities: Container Toolkit version 1.17.8 and GPU Operator version 25.3.1.

Users are strongly advised to update immediately by following the installation procedures outlined in the official NVIDIA Container Toolkit and GPU Operator documentation.

For organizations unable to update immediately, NVIDIA provides temporary mitigation strategies.

Users can disable the problematic enable-cuda-compat hook by modifying the configuration file /etc/nvidia-container-toolkit/config.toml to set the disable-cuda-compat-lib-hook feature flag to true.

For GPU Operator deployments, administrators can add the same flag to the NVIDIA_CONTAINER_TOOLKIT_OPT_IN_FEATURES environment variable using specific Helm arguments during installation or upgrade processes.

The vulnerabilities particularly affect Container Development Interface (CDI) mode implementations, with all versions prior to 1.17.5 being susceptible only in CDI mode.

Organizations using older versions should prioritize immediate updates to prevent potential exploitation of these critical security vulnerabilities.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.