PoC Exploit Released for Critical NVIDIA AI Container Toolkit Vulnerability

A critical container escape vulnerability has emerged in the NVIDIA Container Toolkit, threatening the security foundation of AI infrastructure worldwide.

Dubbed “NVIDIAScape” and tracked as CVE-2025-23266, this flaw carries a maximum CVSS score of 9.0, representing one of the most severe threats to cloud-based AI services discovered to date.

The vulnerability allows malicious actors to break free from container isolation and achieve complete root-level control over host systems running GPU-accelerated workloads.

The exploit’s devastating simplicity sets it apart from traditional complex attack vectors.

Researchers have demonstrated that a mere three-line Dockerfile can weaponize this vulnerability, enabling attackers to bypass all container security boundaries.

The malicious payload leverages the Linux LD_PRELOAD environment variable to inject code into privileged processes during container initialization, transforming what should be isolated workloads into system-compromising threats.

Wiz.io analysts identified that the vulnerability stems from a fundamental flaw in how the NVIDIA Container Toolkit handles Open Container Initiative (OCI) hooks.

The toolkit, which serves as the critical bridge between containerized AI applications and NVIDIA GPUs, inadvertently inherits environment variables from container images during the createContainer hook execution phase.

This creates an attack surface where malicious environment variables can influence privileged host processes, leading to complete system compromise.

Technical process of the attack

The attack vector exploits the container runtime’s trust relationship with the NVIDIA Container Toolkit.

When a malicious container image contains the environment variable LD_PRELOAD=/proc/self/cwd/poc.so, the toolkit’s privileged hook process loads and executes the attacker’s shared library file directly from the container filesystem. The exploit code demonstrates this technique:-

FROM busybox
ENV LD_PRELOAD=/proc/self/cwd/poc.so
ADD poc.so /

This deceptively simple payload grants immediate root access to the underlying host system, bypassing all container isolation mechanisms.

The vulnerability affects all NVIDIA Container Toolkit versions up to v1.17.7 and poses systemic risks to multi-tenant AI cloud environments where customers deploy custom container images on shared GPU infrastructure.

Organizations utilizing managed AI services from major cloud providers face immediate exposure, as a single malicious container could compromise entire host systems and access sensitive data belonging to multiple tenants.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now