NVIDIA Container Toolkit Vulnerability Allows Elevated Arbitrary Code Execution
NVIDIA has released critical security updates addressing two significant vulnerabilities in its Container Toolkit and GPU Operator that could allow attackers to execute arbitrary code with elevated permissions.
The vulnerabilities, identified as CVE-2025-23266 and CVE-2025-23267, affect all platforms running NVIDIA Container Toolkit versions up to 1.17.7 and GPU Operator versions up to 25.3.0.
Key Takeaways
1. NVIDIA Container Toolkit vulnerabilities enable arbitrary code execution with elevated permissions.
2. Affects all versions up to 1.17.7 (Container Toolkit) and 25.3.0 (GPU Operator).
3. Update to versions 1.17.8/25.3.1 or disable enable-cuda-compat hook.
These security flaws pose serious risks including privilege escalation, data tampering, information disclosure, and denial of service attacks.
Critical Container Vulnerabilities
The most severe vulnerability, CVE-2025-23266, carries a CVSS v3.1 base score of 9.0, categorizing it as critical severity.
This vulnerability exists in some hooks used to initialize containers, where an attacker could execute arbitrary code with elevated permissions.
The attack vector is described as “AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H,” indicating adjacent network access with low attack complexity. The vulnerability is classified under CWE-426, relating to untrusted search path issues.
The second vulnerability, CVE-2025-23267, receives a high severity rating with a CVSS score of 8.5. This flaw affects the update-ldcache hook, where attackers could cause link following attacks using specially crafted container images.
The vulnerability falls under CWE-59, representing improper link resolution before file access.
Both vulnerabilities were discovered through responsible disclosure, with CVE-2025-23266 reported by Nir Ohfeld and Shir Tamari from Trend Zero Day Initiative, and CVE-2025-23267 identified by Lei Wang and Min Yao from Nebula Security Lab at Huawei Cloud.
| CVE ID | Title | Affected Products | CVSS 3.1Score | Severity |
| CVE-2025-23266 | Arbitrary code execution with elevated permissions in container initialization hooks | NVIDIA Container Toolkit (all versions up to 1.17.7)NVIDIA GPU Operator (all versions up to 25.3.0) | 9.0 | Critical |
| CVE-2025-23267 | Link following vulnerability in update-ldcache hook | NVIDIA Container Toolkit (all versions up to 1.17.7)NVIDIA GPU Operator (all versions up to 25.3.0) | 8.5 | High |
Security Updates
NVIDIA has released updated versions to address these vulnerabilities. The NVIDIA Container Toolkit requires updating to version 1.17.8 from all previous versions up to 1.17.7.
For the NVIDIA GPU Operator on Linux platforms, users must upgrade to version 25.3.1 from all versions up to 25.3.0. Notably, the CDI mode vulnerability affects only versions prior to 1.17.5 for Container Toolkit and prior to 25.3.0 for GPU Operator.
Organizations can implement immediate mitigations by disabling the vulnerable enable-cuda-compat hook.
For NVIDIA Container Runtime users, this involves editing the /etc/nvidia-container-toolkit/config.toml file and setting the features.disable-cuda-compat-lib-hook feature flag to true:
GPU Operator users can apply mitigation through Helm installation arguments:
NVIDIA strongly recommends installing the security updates as described in the official NVIDIA Container Toolkit and GPU Operator documentation.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
