A crucial container escape vulnerability has emerged within the NVIDIA Container Toolkit, threatening the safety basis of AI infrastructure worldwide.
Dubbed “NVIDIAScape” and tracked as CVE-2025-23266, this flaw carries a most CVSS rating of 9.0, representing one of the extreme threats to cloud-based AI providers found up to now.
The vulnerability permits malicious actors to interrupt free from container isolation and obtain full root-level management over host techniques working GPU-accelerated workloads.
The exploit’s devastating simplicity units it aside from conventional complicated assault vectors.
Researchers have demonstrated {that a} mere three-line Dockerfile can weaponize this vulnerability, enabling attackers to bypass all container safety boundaries.
The malicious payload leverages the Linux LD_PRELOAD setting variable to inject code into privileged processes throughout container initialization, remodeling what needs to be remoted workloads into system-compromising threats.
Wiz.io analysts recognized that the vulnerability stems from a basic flaw in how the NVIDIA Container Toolkit handles Open Container Initiative (OCI) hooks.
Arbitrary photos loading (Supply – Wiz.io)
The toolkit, which serves because the crucial bridge between containerized AI functions and NVIDIA GPUs, inadvertently inherits setting variables from container photos throughout the createContainer hook execution part.
This creates an assault floor the place malicious setting variables can affect privileged host processes, main to finish system compromise.
Technical technique of the assault
The assault vector exploits the container runtime’s belief relationship with the NVIDIA Container Toolkit.
When a malicious container picture incorporates the setting variable LD_PRELOAD=/proc/self/cwd/poc.so, the toolkit’s privileged hook course of hundreds and executes the attacker’s shared library file immediately from the container filesystem. The exploit code demonstrates this method:-
FROM busybox
ENV LD_PRELOAD=/proc/self/cwd/poc.so
ADD poc.so /
This deceptively easy payload grants rapid root entry to the underlying host system, bypassing all container isolation mechanisms.
The vulnerability impacts all NVIDIA Container Toolkit variations as much as v1.17.7 and poses systemic dangers to multi-tenant AI cloud environments the place prospects deploy customized container photos on shared GPU infrastructure.
Organizations using managed AI providers from main cloud suppliers face rapid publicity, as a single malicious container may compromise total host techniques and entry delicate information belonging to a number of tenants.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
