A critical container escape vulnerability has emerged in the NVIDIA Container Toolkit, threatening the security foundation of AI infrastructure worldwide.<\/p>\n
Dubbed \u201cNVIDIAScape\u201d and tracked as CVE-2025-23266, this flaw carries a maximum CVSS score of 9.0, representing one of the most severe threats to cloud-based AI services discovered to date.<\/p>\n
The vulnerability allows malicious actors<\/a> to break free from container isolation and achieve complete root-level control over host systems running GPU-accelerated workloads.<\/p>\n The exploit\u2019s devastating simplicity sets it apart from traditional complex attack vectors.<\/p>\n Researchers have demonstrated that a mere three-line Dockerfile can weaponize this vulnerability, enabling attackers to bypass all container security boundaries.<\/p>\n The malicious payload leverages the Linux LD_PRELOAD environment variable to inject code into privileged processes during container initialization, transforming what should be isolated workloads into system-compromising threats.<\/p>\n Wiz.io analysts identified<\/a> that the vulnerability stems from a fundamental flaw in how the NVIDIA Container Toolkit handles Open Container Initiative (OCI) hooks.<\/p>\n The toolkit, which serves as the critical bridge between containerized AI applications and NVIDIA GPUs<\/a>, inadvertently inherits environment variables from container images during the createContainer hook execution phase.<\/p>\n This creates an attack surface where malicious environment variables can influence privileged host processes, leading to complete system compromise.<\/p>\n The attack vector exploits the container runtime\u2019s trust relationship with the NVIDIA Container Toolkit. <\/p>\n When a malicious container image contains the environment variable This deceptively simple payload grants immediate root access to the underlying host system, bypassing all container isolation mechanisms.<\/p>\n The vulnerability affects all NVIDIA Container Toolkit versions up to v1.17.7 and poses systemic risks to multi-tenant AI cloud environments where customers deploy custom container images on shared GPU infrastructure.<\/p>\n Organizations utilizing managed AI services<\/a> from major cloud providers face immediate exposure, as a single malicious container could compromise entire host systems and access sensitive data belonging to multiple tenants.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post PoC Exploit Released for Critical NVIDIA AI Container Toolkit Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtqn0fzpwGNZkM4almmYT6T3kCHgJHYEps_Zgz9J5GPlWlBNxd6Xgl_9VLhxF2UbWBT7hE0kTDQd-nrPz0qDcMB-qf8p5EgOKR9dvXaaRjGteh_-IANeeC2cbqpq1JG8j9SmWyetxC0cvFLmnN2bCUwuMfaOLFnhS2gY2YE3XRH7h-Iekp-YmKFX4QqwI\/s16000\/Arbitrary%2520images%2520loading%2520%28Source%2520-%2520Wiz.io%29.webp?ssl=1\")
Technical process of the attack<\/strong><\/h2>\n
LD_PRELOAD=\/proc\/self\/cwd\/poc.so<\/code>, the toolkit\u2019s privileged hook process loads and executes the attacker\u2019s shared library file directly from the container filesystem. The exploit code demonstrates this technique:-<\/p>\nFROM busybox\nENV LD_PRELOAD=\/proc\/self\/cwd\/poc.so\nADD poc.so \/<\/code><\/pre>\n