CVE-2025-23359
NVIDIA Container Toolkit Análise e mitigação de vulnerabilidades

Visão geral

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability (CVE-2025-23359) discovered in February 2025. The vulnerability affects all versions of NVIDIA Container Toolkit up to and including 1.17.3 and NVIDIA GPU Operator up to and including 24.9.1. When used with default configuration, this vulnerability allows a crafted container image to gain access to the host file system (NVIDIA Advisory, NVD).

Detalhes técnicos

The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition that enables attackers to mount the host's root filesystem into a container, granting unrestricted access to all host files. The issue received a CVSS v3.1 base score of 8.3 (High) with the vector string AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is particularly concerning as it can be exploited through the manipulation of symbolic links and filesystem operations during container initialization (Wiz Blog, Hacker News).

Impacto

A successful exploitation of this vulnerability can lead to multiple severe consequences including code execution, denial of service, escalation of privileges, information disclosure, and data tampering. While the initial access to the host filesystem is read-only, attackers can leverage access to Unix sockets to launch privileged containers and achieve full host compromise (NVIDIA Advisory, Wiz Blog).

Mitigação e soluções alternativas

NVIDIA has released version 1.17.4 of the Container Toolkit and version 24.9.2 of the GPU Operator to address this vulnerability. The fix changes the default behavior of the NVIDIA Container Toolkit, preventing CUDA compatibility libraries from being mounted to the default library path in the container. Users are strongly advised not to disable the --no-cntlibs flag in production environments. For cases requiring CUDA Forward Compatibility, users can set the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat, though this may cause portability issues (NVIDIA Advisory).

Reações da comunidade

The vulnerability was independently discovered and reported by multiple security researchers, including teams from Wiz Research and Trend Micro Research. NVIDIA has acknowledged the researchers' contributions and worked closely with them to ensure proper mitigation of both the original vulnerability and its bypass (NVIDIA Advisory, Wiz Blog).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado NVIDIA Container Toolkit Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-39834CRITICAL9.1
  • cAdvisor logocAdvisor
  • nginx-prometheus-exporter
NãoSimMay 22, 2026
CVE-2026-39830CRITICAL9.1
  • cAdvisor logocAdvisor
  • grafana-12.4
NãoSimMay 22, 2026
CVE-2026-24260HIGH8.5
  • NVIDIA Container Toolkit logoNVIDIA Container Toolkit
  • nvidia-container-toolkit
NãoNãoJul 01, 2026
CVE-2026-32289MEDIUM6.1
  • Go logoGo
  • eks-distro-coredns-fips-1.33
NãoSimApr 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
NãoSimJul 01, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades