Vulnerability Alert: CVE‑2025‑23266: NVIDIAScape: Three‑Line Container Escape in NVIDIA Container Toolkit
Published July 2025 | CVSS 9.0 (Critical)
CVE‑2025‑23266, nicknamed NVIDIAScape, is a pre‑execution flaw in the NVIDIA Container Toolkit. A single OCI hook (createContainer) trusts unfiltered environment variables. By setting LD_PRELOAD (three lines in a Dockerfile) an attacker forces the hook to load a malicious library, break the container boundary, and execute code as root on the host (Ohfeld & Tamari, 2025).
Why this matters
- 37 percent of cloud environments expose the toolkit (Lakshmanan, 2025).
- The exploit needs no credentials, no kernel bugs, and no GPU access—just a crafted image pushed to the victim’s registry.
- Impact spans privilege escalation, data theft, model exfiltration, and complete node take‑over (Tenable, 2025).
Technical Attack Path
- Attacker builds an image:
FROM nvidia/cuda:12.4.1-base
ENV LD_PRELOAD=/tmp/libescape.so
COPY libescape.so /tmp/ - Victim deploys the image on a GPU node.
- NVIDIA hook loads
libescape.sobefore namespace isolation completes. - Library spawns a root shell on the host.
- Result: full control of every workload on that node.
Affected Systems
- All versions of NVIDIA Container Toolkit prior to the July 2025 security update.
- Kubernetes clusters running GPU Operator inherit the same risk.
- Any cloud service that schedules untrusted GPU containers is vulnerable.
Recommended Actions (AppSec)
Priority 1
- Patch immediately: upgrade
nvidia-container-toolkitandgpu-operatorto the July 2025 release. - Block deployments of images containing
LD_PRELOAD, LD_LIBRARY_PATH, or custom OCI hooks until patched.
Priority 2
- Search SBOMs and registries for images derived from
nvidia/*bases. - Scan running pods for unusual
LD_PRELOADsettings.
Priority 3
- Enforce runtime policies (e.g., SELinux/AppArmor) that disallow host‑level file writes from the hook path.
- Restrict cluster‑admin rights; the exploit still needs an image to be scheduled.
Incident‑Response Checklist
- Contain: cordon GPU nodes; snapshot filesystem at
/run/oci/hooks.d. - Investigate: review kube‑audit for images with custom preload values.
- Eradicate: rebuild nodes with patched toolkit; rotate cluster credentials.
- Hunt: look for unexpected host processes owned by
containerdchildren.
How Kodem Protects Customers
- Instant visibility: Kodem SCA pinpoints
- where vulnerable NVIDIA Toolkit packages are installed,
- where containers using them are running in production, and
- which GPU nodes are exposed to external image pulls.
- Runtime defense: eBPF sensors flag any untrusted library load during OCI hook execution and block the chain before root access is gained.
- Attack‑path graph correlates Dockerfile → OCI hook → host shell, giving IR teams one‑click forensics.
- Exploits have been auto‑mitigated in customer environments since the advisory dropped; future attempts remain monitored.
Key Takeaways
- Container escape can be a three‑line change—treat every OCI hook as potential RCE.
- GPU nodes run the most sensitive AI workloads; harden them like production databases.
- Static images tell you what’s inside; runtime telemetry tells you what actually happened.
- “If your defense ends at image scanning, the runtime already won.”
References
- Lakshmanan, R. (2025, July 18). Critical NVIDIA Container Toolkit flaw allows privilege escalation on AI cloud services. The Hacker News.
- Ohfeld, N., & Tamari, S. (2025, July 17). NVIDIAScape – critical NVIDIA AI vulnerability: A three‑line container escape in NVIDIA Container Toolkit (CVE‑2025‑23266). Wiz Blog.
- Tenable. (2025). CVE‑2025‑23266. https://www.tenable.com/cve/CVE‑2025‑23266
Related blogs
CVE-2026-21858: Ni8mare: Unauthenticated Remote Code Execution in n8n
An unauthenticated Remote Code Execution (RCE) flaw, tracked as CVE-2026-21858 (CVSS 10.0), has been discovered in n8n, the widely-adopted workflow automation platform. With over 100 million Docker pulls and an estimated 100,000 locally deployed instances, this vulnerability transforms n8n from a productivity tool into a severe single point of potential failure for organizations globally.
Guess Who's Back: Shai-Hulud 3.0 The Golden Path
Security analysts recently identified a new variant of the Shai-Hulud npm supply chain worm in the public registry, signaling continued evolution of this threat family. This variant, dubbed “The Golden Path” exhibits modifications from prior waves of the malware, suggesting ongoing evolution in the threat actor’s tradecraft.
Kai at Work: A Day in the Life of an AI AppSec Engineer
Kai, Kodem’s secure-by-design AI AppSec Engineer, is integrated directly into the platform to deliver contextualized and actionable answers precisely when AppSec teams need them. By converting your existing security data into conversational intelligence, Kai eliminates the need for hours of manual investigation and context-switching. You can now ask questions as you would to a senior, humble, and tireless engineer.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.png)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.
Stay up-to-date on Audit Nexus
A curated resource for the many updates to cybersecurity and AI risk regulations, frameworks, and standards.