CVE-2025-23359
NVIDIA Container Toolkit Análisis y mitigación de vulnerabilidades

Vista general

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability (CVE-2025-23359) discovered in February 2025. The vulnerability affects all versions of NVIDIA Container Toolkit up to and including 1.17.3 and NVIDIA GPU Operator up to and including 24.9.1. When used with default configuration, this vulnerability allows a crafted container image to gain access to the host file system (NVIDIA Advisory, NVD).

Técnicas

The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition that enables attackers to mount the host's root filesystem into a container, granting unrestricted access to all host files. The issue received a CVSS v3.1 base score of 8.3 (High) with the vector string AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is particularly concerning as it can be exploited through the manipulation of symbolic links and filesystem operations during container initialization (Wiz Blog, Hacker News).

Impacto

A successful exploitation of this vulnerability can lead to multiple severe consequences including code execution, denial of service, escalation of privileges, information disclosure, and data tampering. While the initial access to the host filesystem is read-only, attackers can leverage access to Unix sockets to launch privileged containers and achieve full host compromise (NVIDIA Advisory, Wiz Blog).

Mitigación y soluciones alternativas

NVIDIA has released version 1.17.4 of the Container Toolkit and version 24.9.2 of the GPU Operator to address this vulnerability. The fix changes the default behavior of the NVIDIA Container Toolkit, preventing CUDA compatibility libraries from being mounted to the default library path in the container. Users are strongly advised not to disable the --no-cntlibs flag in production environments. For cases requiring CUDA Forward Compatibility, users can set the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat, though this may cause portability issues (NVIDIA Advisory).

Reacciones de la comunidad

The vulnerability was independently discovered and reported by multiple security researchers, including teams from Wiz Research and Trend Micro Research. NVIDIA has acknowledged the researchers' contributions and worked closely with them to ensure proper mitigation of both the original vulnerability and its bypass (NVIDIA Advisory, Wiz Blog).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado NVIDIA Container Toolkit Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-39834CRITICAL9.1
  • cAdvisor logocAdvisor
  • nginx-prometheus-exporter
NoMay 22, 2026
CVE-2026-39830CRITICAL9.1
  • cAdvisor logocAdvisor
  • grafana-12.4
NoMay 22, 2026
CVE-2026-24260HIGH8.5
  • NVIDIA Container Toolkit logoNVIDIA Container Toolkit
  • nvidia-container-toolkit
NoNoJul 01, 2026
CVE-2026-32289MEDIUM6.1
  • Go logoGo
  • eks-distro-coredns-fips-1.33
NoApr 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
NoJul 01, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades