Experts from the company Wiz have discovered a critical vulnerability in the Nvidia Container Toolkit. According to the researchers, the issue could pose a significant threat to managed cloud AI services.
The vulnerability has been named NvidiaScape and is identified as CVE-2025-23266 (9.0 on the CVSS scale). The issue was first demonstrated by Wiz experts in early 2025 at the Pwn2Own Berlin hacking competition. At that time, the bug and its exploit earned the company’s team a reward of $30,000.
Developers at Nvidia have informed customers about a vulnerability and its patch in a bulletin published last week. According to the manufacturer, this critical vulnerability can lead to privilege escalation, information disclosure, data manipulation, and DoS attacks.
The bug affected all versions of the Nvidia Container Toolkit up to and including 1.17.7 and the Nvidia GPU Operator up to and including 25.3.0. The manufacturer resolved the issue in versions 1.17.8 and 25.3.1, respectively.
Nvidia Container Toolkit is designed for creating and running GPU-accelerated containers and, according to researchers, it is often used by major cloud providers in the operation of managed AI services.
Wiz explains that CVE-2025-23266 is caused by the incorrect configuration of Open Container Initiative (OCI) hooks — mechanisms that allow certain actions to be executed at different stages of a container’s lifecycle. The bug poses the greatest risk to managed AI services in the cloud, where users can run their own containers on shared GPU infrastructure.
This means NvidiaScape can be used by a malicious container to bypass isolation and gain full root access to the host machine. From the host machine, an attacker can steal or manipulate data, as well as impact proprietary AI models of other clients using the same hardware.
Now that the patch has been released, experts have shared technical details of the vulnerability and demonstrated that it can be exploited using a malicious payload and a three-line Dockerfile placed inside the container image.
“This research once again highlights that containers are not a reliable security barrier and should not be relied upon as the sole means of isolation,” warns Wiz. “When developing applications, especially for multi-user environments, vulnerabilities should always be assumed, and at least one reliable isolation barrier, such as virtualization, should be implemented.”
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →