Critical Vulnerability in NVIDIA Container Toolkit Threatens Cloud AI Services

Red Dog Security

2 min read
Critical Vulnerability in NVIDIA Container Toolkit Threatens Cloud AI Services

Security researchers at Wiz have uncovered a critical flaw in the NVIDIA Container Toolkit, warning that it poses a significant threat to GPU-accelerated workloads across managed cloud AI platforms.

The vulnerability—dubbed NvidiaScape and tracked as CVE-2025-23266 (CVSS score: 9.0)—was first demonstrated by the Wiz team at the Pwn2Own Berlin 2025 hacking competition, where the exploit earned them a $30,000 prize.

NVIDIA Acknowledges Flaw and Issues Patch

NVIDIA has since published an official advisory, confirming the severity of the bug and releasing patched versions of the affected software. According to the company, successful exploitation could lead to:

  • Privilege escalation
  • Data exposure
  • Data tampering
  • Denial-of-service (DoS) attacks

Affected Versions:

  • NVIDIA Container Toolkit up to version 1.17.7
  • NVIDIA GPU Operator up to version 25.3.0

Patched Releases:

  • 1.17.8 (Container Toolkit)
  • 25.3.1 (GPU Operator)

Why NvidiaScape Is Especially Dangerous

The NVIDIA Container Toolkit is a cornerstone of modern AI infrastructure. It enables developers to build and deploy GPU-accelerated containers—a capability widely adopted by major cloud providers offering managed AI services.

At the root of CVE-2025-23266 is a misconfiguration in Open Container Initiative (OCI) hooks, which are lifecycle scripts triggered during container runtime. In multi-tenant environments—where multiple users share GPU resources—this flaw becomes especially dangerous.

Real-World Impact and Exploitability

Wiz researchers demonstrated that a malicious container could abuse NvidiaScape to:

  • Escape its container and gain root access to the host
  • Steal or tamper with sensitive data
  • Compromise AI models belonging to other customers on the same physical machine

The exploit can be triggered with a simple three-line Dockerfile, making it both powerful and trivial to deploy once the attacker gains a foothold.

Now that a patch is public, technical details of the attack have been disclosed to promote urgency in mitigation.

Security Experts Sound the Alarm

In a statement accompanying the disclosure, Wiz researchers warned:

“This research once again highlights that containers are not a security boundary and should never be treated as such. In multi-user environments, always assume that vulnerabilities exist—and use at least one strong isolation layer, like virtualization.”

Mitigation Summary

Vulnerable:

  • NVIDIA Container Toolkit ≤ 1.17.7
  • NVIDIA GPU Operator ≤ 25.3.0

Fixed:

  • Container Toolkit → 1.17.8
  • GPU Operator → 25.3.1

Recommendation:

  • Update immediately if using affected versions
  • Enforce stronger isolation—such as VM-based sandboxing—when deploying GPU-accelerated or containerized AI workloads

Read more