A cadre of cybersecurity analysts has unearthed a novel method to sidestep a previously mitigated security flaw within the NVIDIA Container Toolkit, a lapse that, if weaponized, enables adversaries to breach container isolation mechanisms and commandeer absolute control over the host infrastructure.
This newly identified vulnerability, cataloged as CVE-2025-23359 with a CVSS severity score of 8.3, impacts the following software versions:
- NVIDIA Container Toolkit (all iterations up to and including 1.17.3) – Rectified in version 1.17.4
- NVIDIA GPU Operator (all iterations up to and including 24.9.1) – Remediated in version 24.9.2
According to NVIDIA’s advisory, the flaw stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition, present in default configurations. This exploit allows a tampered container image to infiltrate the host’s file system, effectively nullifying containment protocols.
A successful exploitation of this flaw could result in arbitrary code execution, denial-of-service conditions, privilege escalation, unauthorized data access, and malicious alterations to critical files,” NVIDIA cautioned in its disclosure on Tuesday.
A Shadow of a Predecessor – Exploit Builds on Prior Flaw
Cloud security firm Wiz, which conducted an in-depth technical dissection of the issue, characterized this as a bypass exploit for a prior vulnerability (CVE-2024-0132, CVSS score: 9.0), which NVIDIA patched in September 2024.
At its core, the exploit empowers threat actors to mount the host’s root file system inside a compromised container, thereby granting them unbridled access to all underlying system files. Beyond mere infiltration, this access facilitates the escalation of privileges via the runtime Unix socket, ultimately paving the way for full host compromise.
Security specialists Shir Tamari, Ronen Shustin, and Andres Riancho from Wiz uncovered that manipulation of symbolic links within the container toolkit’s mount operations allows a hostile entity to traverse beyond the container’s boundaries, effectively remapping the host’s root directory into “/usr/lib64” within the container.
While the granted access is initially read-only, attackers can subvert this restriction by engaging with Unix sockets to spawn elevated privilege containers, thereby acquiring full-fledged control over the host’s file system.
This elevated foothold enabled us to inspect network traffic, probe active processes, and execute an array of system-level operations, demonstrating the criticality of this flaw,” the researchers stated.
Mitigation Measures – Strengthening Defenses
To thwart potential exploitation, NVIDIA urges all users to upgrade to the patched versions. Furthermore, it is strongly recommended that the --no-cntlibs flag remains enabled in production environments, as disabling it could reintroduce significant security risks.
