Cybersecurity researchers from Wiz have uncovered a extreme flaw, now recognized as CVE-2025-23266 and nicknamed NVIDIAScape, that would enable attackers to flee container boundaries and acquire full root entry to the host machine.
The bug impacts all variations of the NVIDIA Container Toolkit as much as 1.17.7 and has been rated 9.0 (Important) on the CVSS severity scale. It additionally impacts NVIDIA GPU Operator variations as much as 25.3.0, broadly used to handle GPU containers in Kubernetes clusters.
The vulnerability has significantly critical implications for managed AI cloud companies, which let prospects run their very own AI containers on shared GPU infrastructure. In these multi-tenant environments, a single malicious container may compromise information and fashions belonging to different customers on the identical machine.
In accordance with Wiz, the problem impacts an estimated 37% of cloud environments, together with setups utilized by main cloud suppliers.
Particulars about how the flaw works
As Wiz researchers defined of their breakdown, the flaw stems from how the toolkit handles OCI (Open Container Initiative) hooks, notably the createContainer hook. When triggered, this hook inherits atmosphere variables from the container picture, a habits that opens the door for exploitation.
By setting the LD_PRELOAD atmosphere variable in a Dockerfile and together with a malicious .so file, an attacker can inject code into privileged processes on the host system.
What NVIDIA recommends
NVIDIA confirmed the flaw in a safety bulletin, warning it may result in “escalation of privileges, information tampering, info disclosure, and denial-of-service.” The corporate additionally patched the vulnerability in model 1.17.8 of the Container Toolkit and model 25.3.1 of the GPU Operator.
NVIDIA recommends all customers improve instantly, no matter whether or not the host is internet-facing. Attackers may acquire entry by social engineering, poisoned container photographs, or compromised repositories.
For methods the place instant updates aren’t doable, NVIDIA recommends disabling the enable-cuda-compat hook, which is on the coronary heart of the issue.
Safety groups are suggested to prioritize patching hosts that run containers constructed from untrusted or public photographs, particularly in shared GPU environments. It’s additionally essential to notice that web publicity will not be required for exploitation; attackers can use social engineering or provide chain infiltration to ship the malicious picture.
A sample of infrastructure weaknesses
This isn’t the primary time the NVIDIA Container Toolkit has come beneath fireplace. In 2024, Wiz Analysis uncovered CVE-2024-0132, one other container escape flaw affecting the identical toolkit. Specialists say these incidents spotlight how foundational infrastructure, not simply futuristic AI misuse, poses probably the most instant dangers to AI methods.
“Whereas the hype round AI safety dangers tends to concentrate on futuristic, AI-based assaults, “old-school” infrastructure vulnerabilities within the ever-growing AI tech stack stay the instant risk that safety groups ought to prioritize,” the analysis workforce wrote.
NVIDIAScape is a reminder that as AI continues to evolve its supporting infrastructure should not be missed. With NVIDIA GPUs serving because the engine behind a lot of right now’s AI growth, flaws within the methods that handle them symbolize a vital threat to the broader digital ecosystem.
