CVE-2025-23266: NVIDIA Container Toolkit Privilege Escalation

CVE-2025-23266 Overview

CVE-2025-23266 is a privilege escalation vulnerability in the NVIDIA Container Toolkit affecting all supported platforms. The flaw resides in container initialization hooks that resolve binaries through an untrusted search path [CWE-426]. An attacker controlling a container image can execute arbitrary code with elevated permissions on the host. The vulnerability has been publicly analyzed under the name NVIDIAScape and enables container escape in environments running GPU-accelerated workloads, including shared AI and machine learning infrastructure.

Critical Impact

Successful exploitation leads to privilege escalation, data tampering, information disclosure, and denial of service on the underlying host running the NVIDIA Container Toolkit.

Affected Products

• NVIDIA Container Toolkit (all platforms)
• NVIDIA GPU Operator deployments using the affected toolkit
• Container runtimes integrating NVIDIA hooks for GPU passthrough

Discovery Timeline

• 2025-07-17 - CVE-2025-23266 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-23266

Vulnerability Analysis

The NVIDIA Container Toolkit injects hooks into the Open Container Initiative (OCI) lifecycle to provision GPU devices and libraries inside containers. These hooks run with elevated privileges on the host during container startup. The toolkit resolves helper binaries and libraries using a search path that an attacker-controlled container image can influence. By placing a malicious binary at a path that the hook trusts, an attacker causes the host-side hook process to execute attacker-supplied code outside the container boundary.

The issue is categorized as an untrusted search path weakness. The hook does not sufficiently validate the origin of the executables it loads during initialization, allowing image-supplied content to take precedence over expected host binaries. Exploitation requires only the ability to run a crafted container, which is common in multi-tenant AI platforms and managed Kubernetes clusters that expose GPU workloads.

Root Cause

The root cause is improper control of the binary and library resolution path in container initialization hooks, as classified by CWE-426: Untrusted Search Path. Files placed inside the container image are evaluated by a privileged host component during the pre-start hook phase, breaking the trust boundary between container and host.

Attack Vector

An attacker with permission to launch a container, including through a shared GPU service or compromised CI/CD pipeline, supplies a malicious image. When the NVIDIA Container Toolkit runs its initialization hooks, the attacker-controlled file is loaded with host privileges. The result is code execution as the host user running the runtime, typically root. Detailed exploitation walkthroughs are available in the Wiz.io analysis of NVIDIAScape and the Kidbomb technical writeup.

No verified public exploit code is referenced in the source advisories. See the NVIDIA Support Article for vendor guidance.

Detection Methods for CVE-2025-23266

Indicators of Compromise

• Unexpected child processes spawned by container runtime or NVIDIA hook binaries such as nvidia-container-cli or nvidia-container-runtime-hook executing from non-standard paths.
• Creation of executable files inside container images at paths historically used for NVIDIA helper utilities.
• Outbound network connections originating from the host immediately after a GPU-enabled container starts.

Detection Strategies

• Monitor process lineage on container hosts and flag privileged child processes launched by container initialization hooks during the pre-start phase.
• Inspect container images for binaries that shadow expected NVIDIA toolkit components before allowing them to run.
• Correlate Kubernetes admission events with host-level execution telemetry to identify suspicious GPU workload launches.

Monitoring Recommendations

• Enable runtime protection on container hosts to capture syscall and exec telemetry from hook processes. Singularity Cloud Workload Security provides real-time runtime protection across Linux hosts and Kubernetes nodes that can surface this telemetry.
• Centralize container runtime, Kubernetes audit, and host execution logs in a SIEM with OCSF normalization to investigate cross-boundary execution patterns.
• Alert on writes to NVIDIA toolkit binary paths and on hook processes loading libraries from container-mounted filesystems.

How to Mitigate CVE-2025-23266

Immediate Actions Required

• Apply the patched NVIDIA Container Toolkit release referenced in the NVIDIA Support Article to all affected hosts.
• Audit all nodes running GPU workloads and inventory the installed NVIDIA Container Toolkit and GPU Operator versions.
• Restrict the ability to launch arbitrary container images on multi-tenant GPU infrastructure until patches are deployed.

Patch Information

NVIDIA has issued an updated release of the NVIDIA Container Toolkit that corrects the untrusted search path behavior in the affected initialization hooks. Refer to the official NVIDIA advisory for fixed version numbers and platform-specific upgrade instructions. Kubernetes operators should redeploy the GPU Operator after node-level toolkit updates.

Workarounds

• Disable GPU-accelerated container workloads on shared infrastructure until the toolkit is upgraded on all nodes.
• Enforce image provenance controls so only signed, trusted images from internal registries can be scheduled on GPU nodes.
• Apply admission policies that reject pods requesting GPU resources from untrusted namespaces or service accounts.

# Verify installed NVIDIA Container Toolkit version on each host
nvidia-container-cli --version
dpkg -l | grep nvidia-container-toolkit   # Debian/Ubuntu
rpm -qa | grep nvidia-container-toolkit   # RHEL/CentOS

# Restrict GPU workload scheduling until patched (Kubernetes example)
kubectl cordon <gpu-node>
kubectl drain <gpu-node> --ignore-daemonsets --delete-emptydir-data