Experts from the company Wiz have discovered a critical vulnerability in the Nvidia Container Toolkit. According to the researchers, the issue could pose a significant threat to managed cloud AI services.
The vulnerability has been named NvidiaScape and is identified as CVE-2025-23266 (9.0 on the CVSS scale). The issue was first demonstrated by Wiz experts in early 2025 at the Pwn2Own Berlin hacking competition. At that time, the bug and its exploit earned the company’s team a reward of $30,000.
Developers at Nvidia have informed customers about a vulnerability and its patch in a bulletin published last week. According to the manufacturer, this critical vulnerability can lead to privilege escalation, information disclosure, data manipulation, and DoS attacks.
The bug affected all versions of the Nvidia Container Toolkit up to and including 1.17.7 and the Nvidia GPU Operator up to and including 25.3.0. The manufacturer resolved the issue in versions 1.17.8 and 25.3.1, respectively.
Nvidia Container Toolkit is designed for creating and running GPU-accelerated containers and, according to researchers, it is often used by major cloud providers in the operation of managed AI services.
Wiz explains that CVE-2025-23266 is caused by the incorrect configuration of Open Container Initiative (OCI) hooks — mechanisms that allow certain actions to be executed at different stages of a container’s lifecycle. The bug poses the greatest risk to managed AI services in the cloud, where users can run their own containers on shared GPU infrastructure.
This means NvidiaScape can be used by a malicious container to bypass isolation and gain full root access to the host machine. From the host machine, an attacker can steal or manipulate data, as well as impact proprietary AI models of other clients using the same hardware.
Now that the patch has been released, experts have shared technical details of the vulnerability and demonstrated that it can be exploited using a malicious payload and a three-line Dockerfile placed inside the container image.
“This research once again highlights that containers are not a reliable security barrier and should not be relied upon as the sole means of isolation,” warns Wiz. “When developing applications, especially for multi-user environments, vulnerabilities should always be assumed, and at least one reliable isolation barrier, such as virtualization, should be implemented.”
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →