NVIDIA has released a security update to address a critical vulnerability in its NVIDIA Container Toolkit and NVIDIA GPU Operator, which could allow attackers to execute arbitrary code, escalate privileges, and gain access to the host file system.
This vulnerability tracked as CVE-2025-23359, is categorized as a Time-of-Check Time-of-Use (TOCTOU) flaw with a CVSS v3.1 base score of 8.3 (High).
NVIDIA Container Toolkit Vulnerability
The vulnerability exists in the default configuration of the NVIDIA Container Toolkit for Linux.
It allows a maliciously crafted container image to exploit a race condition, gaining unauthorized access to the host file system. Successful exploitation could result in:
- Attackers can run arbitrary commands on the host.
- Unauthorized users can gain elevated privileges.
- Disruption of system operations.
- Exposure of sensitive data.
- Unauthorized modification of files.
This issue affects all versions of the NVIDIA Container Toolkit up to and including version 1.17.3 and NVIDIA GPU Operator up to version 24.9.1.
NVIDIA credits researchers from Wiz Research Andres Riancho, Ronen Shustin, and Shir Tamari and Lei Wang for identifying this vulnerability.
Mitigation and Updates
NVIDIA strongly recommends users update to the following patched versions:
The updates alter the default behavior of the NVIDIA Container Toolkit by no longer mounting CUDA compatibility libraries from /usr/local/cuda/compat into containers by default.
Users requiring this functionality can opt-in by enabling the feature flag allow-cuda-compat-libs-from-container in the configuration file at /etc/nvidia-container-runtime/config.toml:
[features]
allow-cuda-compat-libs-from-container = true
However, enabling this feature reintroduces vulnerability risks and is not recommended.
For NVIDIA GPU Operator users, this flag can be set during Helm installation:
Alternatively, applications requiring CUDA Forward Compatibility can set the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat, though this may lead to portability issues across driver versions.
Mitigations
The vulnerability highlights risks associated with containerized environments, particularly for AI workloads using GPUs in cloud or on-premises systems.
Researchers from Wiz Research noted that CVE-2025-23359 bypasses an earlier vulnerability, CVE-2024-0132, which was patched in September 2024 , however, some security gaps remained.
Attackers exploiting this flaw could potentially stage supply chain attacks or compromise shared GPU resources.
Users are advised to update affected software immediately, validate container images using checksum verification, and avoid enabling deprecated features unless absolutely necessary.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
