Cybersecurity researchers at Wiz have identified a critical vulnerability, dubbed NVIDIAScape (CVE-2025-23266), within the NVIDIA Container Toolkit, allowing attackers to bypass container isolation and achieve root access to the underlying host machine.
The vulnerability impacts all versions of the NVIDIA Container Toolkit up to 1.17.7, as well as NVIDIA GPU Operator versions up to 25.3.0. The GPU Operator is widely utilized for managing GPU containers within Kubernetes clusters. This flaw is rated 9.0 (Critical) on the CVSS severity scale.
A significant concern arising from this discovery is its potential impact on managed AI cloud services. In these multi-tenant environments, where various users share GPU infrastructure, a single compromised container could expose the data and models of other users on the same machine. Wiz estimates that approximately 37% of cloud environments are susceptible to this flaw, including those managed by major cloud providers.
The technical root of NVIDIAScape lies in how the NVIDIA Container Toolkit handles OCI (Open Container Initiative) hooks, specifically the createContainer hook. This particular hook inherits environment variables directly from the container image, presenting an exploitable vector. Attackers can leverage this by setting the LD_PRELOAD environment variable within a Dockerfile and embedding a malicious .so file. This allows them to inject arbitrary code into privileged processes running on the host system.
NVIDIA has acknowledged the vulnerability in a security bulletin, warning of potential consequences including “escalation of privileges, data tampering, information disclosure, and denial-of-service.” In response, NVIDIA has released patches in version 1.17.8 of the Container Toolkit and version 25.3.1 of the GPU Operator.
NVIDIA strongly advises all users to upgrade their systems immediately, regardless of whether the host machine is directly exposed to the internet. The company highlights that attackers can gain access through various means, such as social engineering, compromised container images, or tainted repositories. For instances where immediate upgrades are not feasible, NVIDIA recommends disabling the enable-cuda-compat hook, which is central to the vulnerability.
Security teams are urged to prioritize patching hosts that run containers built from untrusted or publicly available images, especially within shared GPU environments. It is crucial to understand that direct internet exposure is not a prerequisite for exploitation; attackers can utilize social engineering tactics or supply chain infiltration to deliver malicious images.
This incident is not an isolated one for the NVIDIA Container Toolkit. Earlier in 2024, Wiz Research uncovered another container escape flaw, CVE-2024-0132, affecting the same toolkit. These recurring vulnerabilities underscore a broader trend: “old-school” infrastructure weaknesses, rather than theoretical AI-based attacks, pose the most immediate and significant threats to AI systems. As the Wiz research team noted, “While the hype around AI security risks tends to focus on futuristic, AI-based attacks, “old-school” infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize.”
