Full Report
Cybersecurity researchers have detailed a case of an incomplete patch for a previously addressed security flaw impacting the NVIDIA Container Toolkit that, if successfully exploited, could put sensitive data at risk. The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability that could lead to a container escape attack and allow for
Analysis Summary
# Vulnerability: Incomplete Patch for NVIDIA Toolkit Container Escape (TOCTOU) and Mount Table Exhaustion
## CVE Details
- CVE ID: CVE-2025-23359 (Related to initial fix for CVE-2024-0132)
- CVSS Score: 9.0 (Critical)
- CWE: Lack of proper locking (Implied related to TOCTOU/Improper Synchronization)
## Affected Systems
- Products: NVIDIA Container Toolkit
- Versions: Version 1.17.4 (if `allow-cuda-compat-libs-from-container` feature is explicitly enabled)
- Configurations: Vulnerable to CVE-2025-23359 requires the attacker to already have code execution within a container. A separate performance issue affects Docker on Linux when containers use multiple mounts with `bind-propagation=shared`.
## Vulnerability Description
This vulnerability represents an **incomplete patch** for the previously disclosed CVE-2024-0132 (a TOCTOU bug). Specifically, the flaw remains in the `mount_files` function due to a lack of proper locking during object operations. A specially crafted container can exploit this TOCTOU vulnerability to achieve **container escape**, enabling the attacker to escalate privileges to root on the host system and execute arbitrary commands, provided they already have code execution inside the container.
Additionally, a related performance flaw was discovered affecting Docker on Linux when using multiple mounts with `bind-propagation=shared`. This leads to improper cleanup of entries in the Linux mount table upon container termination, causing unchecked growth, eventual exhaustion of file descriptors (FDs), and a Denial of Service (DoS) condition impacting the host (e.g., preventing new container creation or SSH access).
## Exploitation
- Status: PoC available (Implied, based on Trend Micro analysis of an incomplete fix for an undisclosed vulnerability leading to container escape)
- Complexity: Medium (Requires precondition of existing code execution within a container for the container escape/privilege escalation)
- Attack Vector: Local (from inside a container)
## Impact
- Confidentiality: High (Access to sensitive host resources/filesystem)
- Integrity: High (Execution of arbitrary code with root privileges on the host)
- Availability: High (DoS condition on the host due to mount table exhaustion)
## Remediation
### Patches
- NVIDIA addressed the flaw in NVIDIA Container Toolkit **Version 1.17.4**. (Note: The article states v1.17.4 is affected if a feature is enabled, but also confusingly states the issue has been *addressed* in v1.17.4, suggesting a later patch *after* v1.17.4 or a specific context needed for the fix in that version.) **Advisories should be checked for the definitive fixed version.**
### Workarounds
- Monitor the Linux mount table for abnormal growth.
- Limit Docker API access to authorized personnel.
- Enforce strong access control policies.
- Conduct periodic audits of container-to-host filesystem bindings.
## Detection
- Indicators of Compromise: Rapid and uncontrollable growth in the Linux mount table, file descriptor (FD) exhaustion on the host, inability to create new containers, decreased host responsiveness (e.g., SSH timeouts).
- Detection methods and tools: Tools capable of monitoring Linux kernel operations, mount table status (`/proc/mounts`), and file descriptor usage statistics on the host system.
## References
- Vendor Advisories: [nvidia.custhelp.com/app/answers/detail/a_id/5616](https://nvidia.custhelp.com/app/answers/detail/a_id/5616)
- Trend Micro Report: [www.trendmicro.com/en_us/research/25/d/incomplete-nvidia-patch.html](https://www.trendmicro.com/en_us/research/25/d/incomplete-nvidia-patch.html)
- ZDI Advisory: [www.zerodayinitiative.com/advisories/ZDI-25-087/](https://www.zerodayinitiative.com/advisories/ZDI-25-087/)