A recently disclosed critical vulnerability in the NVIDIA Container Toolkit, widely used in AI and high-performance computing environments, presents a significant security risk to cloud infrastructures running GPU-accelerated workloads. Tracked as CVE-2025-23266, the vulnerability enables privilege escalation from within containers, allowing attackers to gain root-level access to the host system. With a CVSS score of 9.0 (Critical), the flaw affects a substantial portion of GPU-enabled cloud environments, including those offering multi-tenant AI services.
Vulnerability Details
The issue stems from a misconfiguration in the way the NVIDIA Container Toolkit handles Open Container Initiative (OCI) hooks during container initialization. A malicious actor could exploit this flaw by deploying a container with a manipulated configuration—requiring just a few lines of code—to bypass standard isolation mechanisms and access sensitive resources on the host system.
This attack vector enables container breakout, granting attackers full root access and the ability to manipulate or extract data and models from other containers operating on the same hardware—potentially leading to widespread compromise in shared environments.
Affected Systems
The vulnerability impacts all systems running NVIDIA Container Toolkit versions 1.17.3 and earlier on Linux-based hosts. Given the toolkit’s popularity for enabling GPU access within Docker and Kubernetes environments, this vulnerability affects:
- Cloud service providers supporting AI, ML, and HPC workloads
- Enterprises deploying GPU workloads in containerized environments
- Research institutions and development teams using NVIDIA GPUs at scale
According to security researchers, the flaw could potentially impact over one-third of all containerized GPU workloads globally.
Implications for AI and Cloud Security
The vulnerability poses a specific danger to AI cloud services and multi-tenant environments, where containerized applications from different users share the same underlying GPU infrastructure. Potential risks include:
- Full Host Compromise: Attackers can escalate privileges from within a container to root on the host server.
- Data Exfiltration: Access to proprietary AI models, training data, or customer information stored in adjacent containers.
- Denial of Service or Malicious Use: Attackers could disrupt services, inject malicious models or code, or tamper with sensitive workloads.
- Cloud-Wide Security Breach: In multi-tenant environments, one compromised container could lead to broader exposure across customer accounts.
