Full Report
Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container's isolation protections and gain complete access to the underlying host. The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions - NVIDIA Container Toolkit (All
Analysis Summary
# Vulnerability: NVIDIA Container Toolkit TOCTOU Bypass Leading to Host Compromise
## CVE Details
- CVE ID: CVE-2025-23359
- CVSS Score: 8.3 (High)
- CWE: Time-of-Check Time-of-Use (TOCTOU, related to CWE-367)
## Affected Systems
- Products: NVIDIA Container Toolkit, NVIDIA GPU Operator
- Versions:
- NVIDIA Container Toolkit: All versions up to and including 1.17.3
- NVIDIA GPU Operator: All versions up to and including 24.9.1
- Configurations: Affects systems using the default configuration of the NVIDIA Container Toolkit.
## Vulnerability Description
This vulnerability is a bypass for a previously patched vulnerability (CVE-2024-0132). It is a Time-of-Check Time-of-Use (TOCTOU) flaw within the NVIDIA Container Toolkit for Linux. An attacker inside a container can exploit this by crafting a container image that manipulates file paths during mount operations, typically using a symbolic link. This manipulation allows the attacker to bypass security checks and mount the host's root file system into a path within the container (specifically `/usr/lib64`). While the initial access to the host file system might be read-only, this access can be leveraged through interaction with the runtime Unix sockets to launch new privileged containers, resulting in unrestricted file system access and full host compromise.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but a PoC exists (implied by researchers sharing technical specifics).
- Complexity: Medium (Requires path manipulation leveraging a symlink within a crafted container image).
- Attack Vector: Adjacent (Requires execution capability within a container running with the toolkit).
## Impact
- Confidentiality: High (Information disclosure via access to host files and monitoring network traffic).
- Integrity: High (Data tampering via full file system access).
- Availability: High (Denial of Service is listed as a potential impact).
## Remediation
### Patches
- NVIDIA Container Toolkit: Fixed in version **1.17.4**
- NVIDIA GPU Operator: Fixed in version **24.9.2**
### Workarounds
- Users are recommended to **not disable the `"--no-cntlibs"` flag** in production environments, as disabling this flag is part of the defense against this bypass.
## Detection
- Indicators of Compromise: Unexplained access to host file system paths, unexpected creation of privileged containers, or suspicious interaction with runtime Unix sockets from within an NVIDIA-enabled container.
- Detection Methods and Tools: Source code analysis suggests that monitoring mount operations and subsequent interactions with the runtime Unix socket context within container environments could reveal suspicious activity.
## References
- Vendor Advisory (CVE-2025-23359): nvidia dot custhelp dot com/app/answers/detail/a_id/5616
- Related/Preceding Vulnerability (CVE-2024-0132): thehackernews dot com/2024/09/critical-nvidia-container-toolkit dot html