NVIDIA facing scrutiny after high-risk vulnerabilities were found in its Container Toolkit. Without these flaws, attackers would have a much harder time seizing control over cloud environments. The most severe flaw, denoted CVE-2025-23266, can be exploited with a shockingly simple three-line Dockerfile. This vulnerability allows for a container escape, putting sensitive data and proprietary models of other users at risk.
That’s the question Wiz, a cloud security research company, sought to answer in an in-depth analysis released Thursday. They pointed out that 66% of cloud environments may be affected by these vulnerabilities. Specifically, CVE-2024-0132 is a critical exploit. It has a high CVSS 9.0 score and can be exploited for full host takeover. A third vulnerability, CVE-2025-23359, exposes the same risk with a CVSS score of 8.3.
An attacker would be able to exploit these vulnerabilities in order to view sensitive content. Or take that data and game it, or hack design models stolen from other customers using the same hardware. Wiz researchers Nir Ohfeld and Shir Tamari were able to make key contributions. As they described, an attacker could use LD_PRELOAD in their own Dockerfile to coerce the nvidia-ctk hook into loading a malicious library.
“By setting LD_PRELOAD in their Dockerfile, an attacker could instruct the nvidia-ctk hook to load a malicious library,” – Nir Ohfeld and Shir Tamari (Wiz researchers)
In their study, the researchers observed that the createContainer hook runs with its working directory initialized to the container’s root filesystem. The malicious library can be loaded directly from the container image with a path as trivial as “/malicious”. For the perpetrator, this action closes the exploit chain.
NVIDIA acknowledged these vulnerabilities in an advisory, stating that “NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions.” They warned that “a successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service.”
Wiz stressed the need to deal with conventional weaknesses in infrastructure. Though conversations tend to focus on sophisticated, AI-enabled dangers, these basic torpedoes represent a greater daily threat to security teams.
“While the hype around AI security risks tends to focus on futuristic, AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize,” – Wiz
Wiz further counseled developers to rethink their use of container technology as a means of increasing security. They stressed that containers weren’t the only way to achieve isolation. They had called for stronger isolation barriers, such as virtualization.
“Additionally, this research highlights, not for the first time, that containers are not a strong security barrier and should not be relied upon as the sole means of isolation. When designing applications, especially for multi-tenant environments, one should always ‘assume a vulnerability’ and implement at least one strong isolation barrier, such as virtualization,” – Wiz