NVIDIA reports container escape vulnerabilities in Container Toolkit
Take action: If you're running NVIDIA Container Toolkit or GPU Operator for AI workloads, either upgrade to Container Toolkit version 1.17.8 and GPU Operator version 25.3.1 or disable the vulnerable enable-cuda-compat hook by setting the disable-cuda-compat-lib-hook flag to true in your configuration files. The exploit is trivial, and attackers will find your systems, one way or another.
Learn More
NVIDIA reports two security vulnerabilities in its Container Toolkit and GPU Operator software that expose the AI ecosystem of major cloud providers. This toolkit powers AI services offered by cloud and SaaS providers.
The vulnerabilities enable container escape attacks that could allow malicious actors to bypass isolation and gain complete control over host systems running AI workloads. Security researchers from Wiz dubbed the most severe flaw "NVIDIAScape" due to its potential for widespread impact across AI infrastructure.
Vulnerabilities summary
- CVE-2025-23266 (CVSS score 9.0) - a container escape vulnerability in initialization hooks used by the Container Toolkit across all platforms. The flaw allows attackers to execute arbitrary code with elevated permissions through insufficient validation in container initialization processes. The vulnerability can be exploited with a simple three-line Dockerfile. A successful exploit enables escalation of privileges, data tampering, information disclosure, and denial of service.
- CVE-2025-23267 (CVSS score 8.5) - vulnerability in the update-ldcache hook that allows attackers to create link following attacks using specially crafted container images. The flaw exploits inadequate file validation checks. Successful exploitation could lead to data tampering and denial of service attacks.
The affected host does not need to be publicly exposed, as initial access vectors may include social engineering attempts against developers, supply chain scenarios where an attacker has prior access to a container image repository, or any environment that allows users to load arbitrary images.
Vulnerable versions
- NVIDIA Container Toolkit versions up to and including 1.17.7 are vulnerable to both security flaws on all supported platforms.
- NVIDIA GPU Operator for Linux versions up to 25.3.0.
- For organizations running Container Runtime in CDI mode, only versions prior to 1.17.5 are affected by the critical CVE-2025-23266 vulnerability.
Organizations should upgrade NVIDIA Container Toolkit to version 1.17.8 and GPU Operator to version 25.3.1 to patch these flaws. Red Hat Enterprise Linux and OpenShift deployments require specific targeting of the v1.17.8-ubi8 tag during updates.
For organizations unable to immediately upgrade, the flaws can be mitigated by disabling the vulnerable enable-cuda-compat hook. Container Runtime users can modify the /etc/nvidia-container-toolkit/config.toml file to set the features.disable-cuda-compat-lib-hook flag to true. GPU Operator users can implement mitigation through Helm deployment parameters to disable the vulnerable hook functionality.
Current threat intelligence indicates no evidence of active exploitation in the wild, but the simplicity of the exploit mechanism and widespread deployment of vulnerable systems create urgent security concerns.
