CVE-2025-23266
📋 TL;DR
CVE-2025-23266 is a container escape vulnerability in NVIDIA Container Toolkit that allows attackers to execute arbitrary code with elevated permissions from within containers. This affects all platforms using NVIDIA Container Toolkit to run GPU-accelerated containers. Successful exploitation could lead to full host compromise.
💻 Affected Systems
- NVIDIA Container Toolkit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete container escape leading to full host compromise, privilege escalation to root, data exfiltration, and lateral movement across the network.
Likely Case
Privilege escalation within containerized environments, unauthorized access to GPU resources, and potential data tampering in multi-tenant AI/ML environments.
If Mitigated
Limited impact with proper container isolation, minimal container privileges, and network segmentation in place.
🎯 Exploit Status
Exploit requires initial access to a container with NVIDIA Container Toolkit hooks enabled. Public proof-of-concept demonstrates container escape.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.17.0 and later
Vendor Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5659
Restart Required: Yes
Instructions:
1. Update NVIDIA Container Toolkit to version 1.17.0 or later. 2. Restart containers using NVIDIA GPU acceleration. 3. Verify the update with 'nvidia-ctk version' command.
🔧 Temporary Workarounds
Disable NVIDIA Container Toolkit hooks
linuxRemove or disable vulnerable hooks to prevent exploitation
rm -rf /usr/share/containers/oci/hooks.d/oci-nvidia-hook.json
rm -rf /etc/containers/oci/hooks.d/
Run containers without NVIDIA Container Toolkit
linuxUse alternative methods for GPU access in containers
docker run --gpus none ...
podman run --security-opt=no-new-privileges ...
🧯 If You Can't Patch
- Implement strict container isolation with no-new-privileges security option
- Apply network segmentation to limit container communication and lateral movement
🔍 How to Verify
Check if Vulnerable:
Check NVIDIA Container Toolkit version with 'nvidia-ctk version' or 'nvidia-container-toolkit --version'. Versions below 1.17.0 are vulnerable.Check Version:
nvidia-ctk versionVerify Fix Applied:
Verify version is 1.17.0 or higher with 'nvidia-ctk version'. Test container escape attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from containers
- Suspicious hook initialization in container logs
- Unexpected privilege escalation attempts
Network Indicators:
- Containers making unexpected outbound connections
- Unusual network traffic from container hosts
SIEM Query:
process.name: "nvidia-container-toolkit" AND process.version < "1.17.0"🔗 References
- https://nvidia.custhelp.com/app/answers/detail/a_id/5659
- https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266-part-2/
- https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266/
- https://news.ycombinator.com/item?id=44818412
- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape
