Cybersecurity researchers at Wiz identified a critical vulnerability, NVIDIAScape (CVE-2025-23266), within the NVIDIA Container Toolkit. This flaw permits attackers to bypass container isolation, achieving root access to the host machine. The vulnerability impacts NVIDIA Container Toolkit versions up to 1.17.7 and NVIDIA GPU Operator versions up to 25.3.0.
The Common Vulnerability Scoring System (CVSS) assigns a severity score of 9.0 (Critical) to NVIDIAScape. Its implications extend to managed AI cloud services, where it could facilitate the compromise of data and models belonging to multiple users within shared GPU infrastructure. Wiz estimates approximately 37% of cloud environments, including those of major cloud providers, are susceptible to this vulnerability.
Wiz researchers detailed that the flaw originates from the toolkit’s handling of Open Container Initiative (OCI) hooks, specifically the createContainer hook. This hook inherits environment variables from the container image, creating an exploitation vector. Attackers can leverage this by setting the LD_PRELOAD environment variable within a Dockerfile and incorporating a malicious .so file, thereby injecting code into privileged processes on the host system.
NVIDIA confirmed the vulnerability through a security bulletin, cautioning that its exploitation could lead to “escalation of privileges, data tampering, information disclosure, and denial-of-service.” The company has since released patched versions: 1.17.8 for the Container Toolkit and 25.3.1 for the GPU Operator. NVIDIA advises immediate upgrades for all users, irrespective of whether the host system is internet-facing, noting that attackers could gain access through social engineering, poisoned container images, or compromised repositories.
For situations where immediate updates are not feasible, NVIDIA suggests a temporary workaround: disabling the enable-cuda-compat hook, which is central to the vulnerability. Security teams are further advised to prioritize patching hosts that execute containers constructed from untrusted or public images, particularly in shared GPU environments. The company emphasizes that internet exposure is not a prerequisite for exploitation, as attackers can utilize social engineering or supply chain infiltration to deliver malicious images.
This incident is not an isolated occurrence for the NVIDIA Container Toolkit. In 2024, Wiz Research previously uncovered CVE-2024-0132, another container escape vulnerability affecting the same toolkit. Experts underscore that these instances highlight how fundamental infrastructure vulnerabilities, rather than solely futuristic AI misuse, represent the most immediate threats to AI systems. The research team stated, “While the hype around AI security risks tends to focus on futuristic, AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize.”
