Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services.
The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz.
“NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions,” NVIDIA said in an advisory for the bug.
“A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service.”
The shortcoming impacts all versions of NVIDIA Container Toolkit up to and including 1.17.7 and NVIDIA GPU Operator up to and including 25.3.0. It has been addressed by the GPU maker in versions 1.17.8 and 25.3.1, respectively.
The NVIDIA Container Toolkit refers to a collection of libraries and utilities that enable users to build and run GPU-accelerated Docker containers. The NVIDIA GPU Operator is designed to deploy these containers automatically on GPU nodes in a Kubernetes cluster.
Wiz, which shared details of the flaw in a Thursday analysis, said the shortcoming affects 37% of cloud environments, allowing an attacker to potentially access, steal, or manipulate the sensitive data and proprietary models of all other customers running on the same shared hardware by means of a three-line exploit.
The vulnerability stems from a misconfiguration in how the toolkit handles the Open Container Initiative (OCI) hook “createContainer.” A successful exploit for CVE-2025-23266 can result in a complete takeover of the server. Wiz also characterized the flaw as “incredibly” easy to weaponize.
“By setting LD_PRELOAD in their Dockerfile, an attacker could instruct the nvidia-ctk hook to load a malicious library,” Wiz researchers Nir Ohfeld and Shir Tamari added.
“Making matters worse, the createContainer hook executes with its working directory set to the container’s root filesystem. This means the malicious library can be loaded directly from the container image with a simple path, completing the exploit chain.”
All of this can be achieved with a “stunningly simple three-line Dockerfile” that loads the attacker’s shared object file into a privileged process, resulting in a container escape.
The disclosure comes a couple of months after Wiz detailed a bypass for another vulnerability in NVIDIA Container Toolkit (CVE-2024-0132, CVSS score: 9.0 and CVE-2025-23359, CVSS score: 8.3) that could have been abused to achieve complete host takeover.
“While the hype around AI security risks tends to focus on futuristic, AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize,” Wiz said.
“Additionally, this research highlights, not for the first time, that containers are not a strong security barrier and should not be relied upon as the sole means of isolation. When designing applications, especially for multi-tenant environments, one should always ‘assume a vulnerability’ and implement at least one strong isolation barrier, such as virtualization.”
