CVE-2025-23266: 
Alma Linux vulnerability analysis and mitigation

NVIDIA Container Toolkit for all platforms contains a vulnerability (CVE-2025-23266) in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. The vulnerability was discovered in July 2025 and has been assigned a critical CVSS score of 9.0. This vulnerability affects all versions of NVIDIA Container Toolkit up to and including v1.17.7 (CDI mode only for versions prior to 1.17.5) and NVIDIA GPU Operator up to and including 25.3.1 (NVIDIA Advisory).

The vulnerability stems from a misconfiguration in how the toolkit handles OCI hooks, specifically the createContainer hook. The flaw allows the hook to inherit environment variables from the container image. When a container is started with the NVIDIA runtime, the NCT registers several hooks including the createContainer hook which runs as a privileged process on the host. The vulnerability can be exploited by manipulating the LD_PRELOAD environment variable, allowing an attacker to load a malicious library into the privileged process (Wiz Blog).

A successful exploit of this vulnerability can lead to multiple severe consequences including escalation of privileges, data tampering, information disclosure, and denial of service. The vulnerability represents a systemic risk to the AI ecosystem, potentially allowing attackers to breach the isolation between different customers and affect thousands of organizations. In managed AI cloud services, attackers could gain full root control of the host machine and access sensitive data and proprietary models of other customers running on the same shared hardware (NVIDIA Advisory, Wiz Blog).

NVIDIA has released patches in version 1.17.8 of the Container Toolkit and version 25.3.1 of the GPU Operator. For systems that cannot be immediately upgraded, NVIDIA provides mitigation options by disabling the enable-cuda-compat hook. For NVIDIA Container Runtime, this can be done by editing the /etc/nvidia-container-toolkit/config.toml file and setting features.disable-cuda-compat-lib-hook to true. For NVIDIA GPU Operator, the hook can be disabled by adding disable-cuda-compat-lib-hook to the NVIDIACONTAINERTOOLKITOPTINFEATURES environment variable ([NVIDIA Advisory](https://nvidia.custhelp.com/app/answers/detail/aid/5659)).

The vulnerability has been dubbed #NVIDIAScape by security researchers. The discovery highlights that while AI security discussions often focus on futuristic threats, traditional infrastructure vulnerabilities in the growing AI tech stack remain an immediate concern. Security experts emphasize that containers should not be relied upon as the sole means of isolation, and organizations should implement additional security barriers such as virtualization (Wiz Blog).