9.0 on the CVSS, But Only 3 Lines of Code

Red Dog Security

3 min read
9.0 on the CVSS, But Only 3 Lines of Code

The Third Critical NVIDIA Container Toolkit Vulnerability in a Year Could Expose All Customer Data on Shared Servers

A single compromised container. Three lines of code. Full access to every customer’s data on the server.

That’s the nightmare scenario behind CVE-2025-23266, a newly discovered vulnerability in the NVIDIA Container Toolkit, uncovered by the cloud security firm Wiz. Scoring a 9.0 on the Common Vulnerability Scoring System (CVSS), the issue—dubbed NVIDIAScape—poses a severe risk to cloud environments running GPU-accelerated workloads, especially those tied to artificial intelligence.

A Flaw in the Foundation

The vulnerability affects all versions of the NVIDIA Container Toolkit up to and including 1.17.7, as well as NVIDIA GPU Operator prior to version 25.3.0. Fortunately, it has already been patched in the latest releases—1.17.8 and 25.3.1, respectively.

At the heart of the problem lies the use of OCI hooks, components used to initialize containers. One such hook, createContainer, was misconfigured, allowing attackers to exploit it by loading a malicious shared library during container startup.

These hooks run with elevated privileges and execute in the container’s file system context, giving attackers a golden opportunity to inject malicious code at the moment the container comes to life.

Just Three Lines of Code

The attack is dangerously simple. According to Wiz researchers, it takes only three lines in a Dockerfile:

  • Set the LD_PRELOAD environment variable
  • Point it to a malicious .so file
  • Let the container start

That’s it. From there, the attacker can break out of the container and take full control of the host system.

Cloud AI at Risk

What makes this vulnerability particularly alarming is its massive potential impact. Wiz estimates that roughly 37% of AI-powered cloud environments are affected. In shared, multi-tenant setups—common in public clouds—a single compromised container could lead to unauthorized access to data and models belonging to other customers on the same server.

We're not just talking about data leaks. We're talking intellectual property theft, workflow disruptions, and even denial-of-service attacks on critical infrastructure.

A Pattern of Neglect?

This isn’t NVIDIA’s first stumble. Wiz previously disclosed two similar vulnerabilities in the company’s container tooling:

  • CVE-2024-0132
  • CVE-2025-23359

Each allowed for full system compromise via weak container isolation.

NVIDIAScape marks the third such vulnerability in under 18 months, calling into question the robustness of container-based security in GPU-rich cloud environments.

As Wiz bluntly put it: "Relying solely on containers for security is no longer acceptable." They recommend organizations introduce additional barriers, such as virtualization, especially in multi-tenant environments, where the blast radius of an attack is much greater.

Containers Aren’t Bulletproof

This latest incident underscores a broader truth: the threats we understand best are often the ones we overlook. While the cybersecurity world scrambles to counter emerging threats from AI-generated malware or deepfake phishing, many environments remain vulnerable to well-known, long-standing attack vectors—like privilege escalation via misconfigured hooks.

The lesson here isn’t about any one vulnerability. It’s about recognizing that basic operational hygiene—regular patching, least-privilege enforcement, and layered defenses—remains the foundation of security. In other words: don’t wait for AI to become sentient to lock down your infrastructure.

Final Thoughts

The NVIDIAScape vulnerability is a sobering reminder that sophisticated attacks don’t always require sophisticated code. Sometimes, all it takes is three lines—if they’re written in the right place.

As the race to deploy AI and GPU workloads accelerates, organizations must treat infrastructure-level components like container runtimes with the same caution as exposed APIs or endpoint software. Insecure hooks might seem obscure, but they can open the door to complete system compromise.

And in a multi-tenant world, when one customer falls, everyone could fall with them.

Read more