Cybersecurity researchers have disclosed a essential container escape vulnerability within the NVIDIA Container Toolkit that would pose a extreme risk to managed AI cloud providers.
The vulnerability, tracked as CVE-2025-23266, carries a CVSS rating of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security firm Wiz.
“NVIDIA Container Toolkit for all platforms accommodates a vulnerability in some hooks used to initialize the container, the place an attacker may execute arbitrary code with elevated permissions,” NVIDIA mentioned in an advisory for the bug.
“A profitable exploit of this vulnerability may result in escalation of privileges, information tampering, data disclosure, and denial-of-service.”
The shortcoming impacts all variations of NVIDIA Container Toolkit as much as and together with 1.17.7 and NVIDIA GPU Operator as much as and together with 25.3.0. It has been addressed by the GPU maker in variations 1.17.8 and 25.3.1, respectively.
The NVIDIA Container Toolkit refers to a group of libraries and utilities that allow customers to construct and run GPU-accelerated Docker containers. The NVIDIA GPU Operator is designed to deploy these containers mechanically on GPU nodes in a Kubernetes cluster.
Wiz, which shared particulars of the flaw in a Thursday evaluation, mentioned the shortcoming impacts 37% of cloud environments, permitting an attacker to probably entry, steal, or manipulate the delicate information and proprietary fashions of all different prospects operating on the identical shared {hardware} by way of a three-line exploit.
The vulnerability stems from a misconfiguration in how the toolkit handles the Open Container Initiative (OCI) hook “createContainer.” A profitable exploit for CVE-2025-23266 can lead to an entire takeover of the server. Wiz additionally characterised the flaw as “extremely” straightforward to weaponize.
“By setting LD_PRELOAD of their Dockerfile, an attacker may instruct the nvidia-ctk hook to load a malicious library,” Wiz researchers Nir Ohfeld and Shir Tamari added.
“Making issues worse, the createContainer hook executes with its working listing set to the container’s root filesystem. This implies the malicious library could be loaded straight from the container picture with a easy path, finishing the exploit chain.”
All of this may be achieved with a “stunningly easy three-line Dockerfile” that hundreds the attacker’s shared object file right into a privileged course of, leading to a container escape.
The disclosure comes a few months after Wiz detailed a bypass for an additional vulnerability in NVIDIA Container Toolkit (CVE-2024-0132, CVSS rating: 9.0 and CVE-2025-23359, CVSS rating: 8.3) that would have been abused to attain full host takeover.
“Whereas the hype round AI security dangers tends to give attention to futuristic, AI-based assaults, ‘old-school’ infrastructure vulnerabilities within the ever-growing AI tech stack stay the instant risk that security groups ought to prioritize,” Wiz mentioned.
“Moreover, this analysis highlights, not for the primary time, that containers should not a robust security barrier and shouldn’t be relied upon as the only real technique of isolation. When designing purposes, particularly for multi-tenant environments, one ought to at all times ‘assume a vulnerability’ and implement no less than one robust isolation barrier, corresponding to virtualization.”
