A newly disclosed vulnerability in the NVIDIA Container Toolkit, designated CVE-2025-23266 and referred to as #NVIDIAScape, has exposed a critical flaw in the foundational infrastructure that supports modern AI workloads. With a CVSS score of 9.0, this vulnerability allows a containerized workload to escape its sandbox and gain full root access to the host system. The exploit path is minimal and can be executed with a three-line Dockerfile, requiring no exotic tooling or complex code execution.

This vulnerability stems from the NVIDIA Container Toolkit’s use of OCI (Open Container Initiative) hooks to set up GPU access in containerized workloads.

Due to a configuration flaw, privileged processes on the host can unintentionally inherit environment variables from inside the container. That opens the door for attackers to use LD_PRELOAD to inject and run a malicious shared object during startup, effectively taking control of the host system.

Because this toolkit is so widely used across cloud-based AI environments, the risk is broad and serious, especially in multi-tenant setups where container isolation is expected to be reliable but often falls short.

Why It Matters: As AI workloads continue to scale environments, the reliability of the runtime stack has become a critical foundation. This vulnerability highlights how fragile assumptions around isolation and privilege boundaries can be in real-world deployments. This underscores the need for infrastructure security to be treated as essential to the stability and resilience of AI operations.

• Exploit Simplicity Masks Depth of Exposure: What makes this vulnerability particularly striking is how little effort it takes to exploit. Just three lines in a Dockerfile, a base image, an LD_PRELOAD variable pointing to a malicious .so file, and a command to add that file, are enough to trigger a complete container escape. When the container runs with the NVIDIA runtime, a privileged host process (nvidia-ctk) kicks in and unknowingly picks up the attacker-controlled environment variable. Because this process starts with its working directory set to the container’s filesystem, it loads the malicious payload directly, executing with root privileges and breaking the container’s isolation entirely.

• Serious Implications for Multi-Tenant and Cloud-Native AI Environments: Given that the NVIDIA Container Toolkit is the default path for enabling GPU access in containerized applications, this vulnerability opens up a wide and concerning attack surface. It affects nearly every public cloud provider and managed AI platform. In shared environments where multiple customers or teams run workloads on the same GPU host, this flaw creates a path for one tenant to compromise the underlying infrastructure, along with any sensitive models or data running alongside their container. This raises real challenges around compliance and integrity.

• Vulnerable Versions and Mitigations: The vulnerability affects all NVIDIA Container Toolkit versions up to 1.17.7 (and CDI mode up to 1.17.5), along with all GPU Operator versions through 25.3.1. NVIDIA has released a patched version (1.17.8), and for systems that can’t upgrade right away, it has provided detailed configuration-based mitigations.

• Rethinking How Exposure Is Identified and Prioritized: Because this exploit operates entirely within the container image, traditional signals like open ports or external exposure don’t help in identifying vulnerable systems. Instead, risk needs to be assessed based on how containers are sourced, with special attention given to any infrastructure running user-supplied or community container images.

• A Broader Pattern of Infrastructure-Level Gaps in the AI Stack: #NVIDIAScape follows similar vulnerabilities targeting the runtime layers of cloud AI platforms, including past issues found in Replicate and DigitalOcean. Collectively, these incidents point to a larger trend that support infrastructure hasn’t kept pace with AI’s innovation from a security standpoint. As AI becomes more embedded in enterprise operations, effective security requires a strong emphasis on the resilience of underlying infrastructure, alongside careful oversight of model performance and data governance.

Go Deeper -> NVIDIAScape – Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) – Wiz