Vulnerability Alert: CVE‑2025‑23266: NVIDIAScape: Three‑Line Container Escape in NVIDIA Container Toolkit

Technical Attack Path

1. Attacker builds an image:
   FROM nvidia/cuda:12.4.1-base  
ENV LD_PRELOAD=/tmp/libescape.so  
COPY libescape.so /tmp/‍
2. Victim deploys the image on a GPU node.
3. NVIDIA hook loads libescape.so before namespace isolation completes.
4. Library spawns a root shell on the host.
5. Result: full control of every workload on that node.

Affected Systems

• All versions of NVIDIA Container Toolkit prior to the July 2025 security update.
• Kubernetes clusters running GPU Operator inherit the same risk.
• Any cloud service that schedules untrusted GPU containers is vulnerable.

Recommended Actions (AppSec)

Priority 1  

• Patch immediately: upgrade nvidia-container-toolkit and gpu-operator to the July 2025 release.
• Block deployments of images containing LD_PRELOAD, LD_LIBRARY_PATH, or custom OCI hooks until patched.

Priority 2

• Search SBOMs and registries for images derived from nvidia/* bases.
• Scan running pods for unusual LD_PRELOAD settings.

Priority 3

• Enforce runtime policies (e.g., SELinux/AppArmor) that disallow host‑level file writes from the hook path.
• Restrict cluster‑admin rights; the exploit still needs an image to be scheduled.

Incident‑Response Checklist

1. Contain: cordon GPU nodes; snapshot filesystem at /run/oci/hooks.d.
2. Investigate: review kube‑audit for images with custom preload values.
3. Eradicate: rebuild nodes with patched toolkit; rotate cluster credentials.
4. Hunt: look for unexpected host processes owned by containerd children.

How Kodem Protects Customers

• Instant visibility: Kodem SCA pinpoints
  
  1. where vulnerable NVIDIA Toolkit packages are installed,
  2. where containers using them are running in production, and
  3. which GPU nodes are exposed to external image pulls.
• Runtime defense: eBPF sensors flag any untrusted library load during OCI hook execution and block the chain before root access is gained.
• Attack‑path graph correlates Dockerfile → OCI hook → host shell, giving IR teams one‑click forensics.
• Exploits have been auto‑mitigated in customer environments since the advisory dropped; future attempts remain monitored.

Key Takeaways

• Container escape can be a three‑line change—treat every OCI hook as potential RCE.
• GPU nodes run the most sensitive AI workloads; harden them like production databases.
• Static images tell you what’s inside; runtime telemetry tells you what actually happened.
• “If your defense ends at image scanning, the runtime already won.”

References

• Lakshmanan, R. (2025, July 18). Critical NVIDIA Container Toolkit flaw allows privilege escalation on AI cloud services. The Hacker News.
• Ohfeld, N., & Tamari, S. (2025, July 17). NVIDIAScape – critical NVIDIA AI vulnerability: A three‑line container escape in NVIDIA Container Toolkit (CVE‑2025‑23266). Wiz Blog.
• Tenable. (2025). CVE‑2025‑23266. https://www.tenable.com/cve/CVE‑2025‑23266