The Nvidia Container Toolkit for Linux is a collection of tools that let developers create and run GPU-accelerated containers using Docker or other container runtimes. However, it has a flaw that lets threat actors access the host file system and use it to remotely execute malicious code, launch denial-of-service attacks, escalate privileges, steal confidential data, or alter it.
The company confirmed the news in a security advisory, pointing out that the bug, which is being tracked as CVE-2025-23359, affects both the Nvidia Container Toolkit and Nvidia GPU Operator, a Kubernetes-native solution that automates the deployment, management, and monitoring of Nvidia GPU resources in a Kubernetes cluster.
A severity score of 8.3 was given to it, and it was claimed to impact all Container Toolkit versions up to and including 1.17.3 and every iteration up to and including 24.9.1 one GPU operator.
“NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” the company said recently in an advisory.
Patch Bypass
The bugs were fixed in versions 1.17.4 and 24.9.2 respectively. Furthermore, it should be noted that the defect is limited to Linux and has no effect on use cases involving CDI. Cloud security firm Wiz, which shared additional technical specifics of the flaw, said it’s a bypass for another vulnerability that was addressed by NVIDIA in September 2024.
It appears that the previous bug, which is tracked as CVE-2024-0132, has a 9.0 severity score, meaning that it is critical because it could give malicious actors free access to almost anything by enabling them to mount the host’s root file system into a container. Furthermore, full host compromise and the launch of privileged containers are possible with this access.
“Wiz researchers security researchers Shir Tamari, Ronen Shustin, and Andres Riancho said their source code analysis of the container toolkit found that the file paths used during mount operations could be manipulated using a symbolic link such that it makes it possible to mount from outside the container (i.e., the root directory) into a path within /usr/lib64,” reported The Hacker News.
While the container escape affords read-only access to the host file system, this limitation can be negated by interacting with the Unix sockets to spawn new privileged containers and gain unrestricted access to the file system.
“This elevated level of access also allowed us to monitor network traffic, debug active processes, and perform a range of other host-level operations,” the researchers said.
Nvidia claims that the problem was resolved in September 2024 and that users should apply the patches that were made available to fix it. It also cautions users against turning off the “–no-cntlibs” flag in production environments.
Meanwhile, the high-end RTX 50 series launch from Nvidia has been rescheduled for March 2025, according to sources in the notebook supply chain. This delay also affects the mid-range and entry-level models, as their March release date has been rescheduled to April.