Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container’s isolation protections and gain complete access to the underlying host.
The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions -
- NVIDIA Container Toolkit (All versions up to and including 1.17.3) - Fixed in version 1.17.4
- NVIDIA GPU Operator (All versions up to and including 24.9.1) - Fixed in version 24.9.2
“NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system,” the company said in an advisory on Tuesday.
“A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.”
Cloud security firm Wiz, which shared additional technical specifics of the flaw, said it’s a bypass for another vulnerability (CVE-2024-0132, CVSS score: 9.0) that was addressed by NVIDIA in September 2024.
In a nutshell, the vulnerability enables bad actors to mount the host’s root file system into a container, granting them unfettered access to all files. Furthermore, the access can be leveraged to launch privileged containers and achieve full host compromise via the runtime Unix socket.
Wiz researchers security researchers Shir Tamari, Ronen Shustin, and Andres Riancho said their source code analysis of the container toolkit found that the file paths used during mount operations could be manipulated using a symbolic link such that it makes it possible to mount from outside the container (i.e., the root directory) into a path within “/usr/lib64.”
While the access to the host file system afforded by the container escape is read-only, this limitation can be circumvented by interacting with the Unix sockets to spawn new privileged containers and gain unrestricted access to the file system.
“This elevated level of access also allowed us to monitor network traffic, debug active processes, and perform a range of other host-level operations,” the researchers said.
Besides updating to the latest version, users of the NVIDIA Container Toolkit are recommended to not disable the “—no-cntlibs” flag in production environments.
Cybersecurity Webinars
Typosquatting, Repojacking and Chaos
A Practical Path to Python Supply Chain Defense
[
Python’s package ecosystem is under siege—join us to learn how to lock down your supply chain before attackers lock you out.
](https://thehacker.news/safeguarding-python-supply-chain?source=below)Designing Secure AI Apps with Identity-First Approach
Outsmarting AI Attacks
As AI reshapes the threat landscape, identity is emerging as the most scalable—and critical—line of defense.
Latest News
Cursor AI Code Editor Fixed Flaw Allowing Attackers to Run Commands via Prompt Injection…
Cybersecurity researchers have disclosed a now-patched, high-severity security flaw in Cursor, a po…
Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts…
Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersona…
AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown…
Cybersecurity researchers have flagged a malicious npm package that was generated using artificial…
You Are What You Eat: Why Your AI Security Tools Are Only as Strong as the Data You Feed T…
Just as triathletes know that peak performance requires more than expensive gear, cybersecurity te…
Cybersecurity Resources
Expert Insights Articles Videos
EDR Detects, EPM Prevents. Why Using Both is a Winning Formula for Modern Endpoint Protection
[
July 28, 2025 Read ➝
](https://thehackernews.com/expert-insights/2025/07/edr-detects-epm-prevents-why-using-both.html)Empower Users and Protect Against GenAI Data Loss
July 22, 2025 Read ➝
View originalHow to “Go Passwordless” Without Getting Rid of Passwords
July 21, 2025 Read ➝
View originalEverything to Know about Runtime Reachability
July 12, 2025 Read ➝
//]]>