Cybersecurity researchers have uncovered a critical container escape vulnerability in the NVIDIA Container Toolkit, raising serious concerns for managed AI cloud services. Identified as CVE-2025-23266 and dubbed “NVIDIAScape” by Google-owned cloud security firm Wiz, the flaw carries a high severity CVSS score of 9.0 out of 10.0.
The vulnerability affects all versions of the NVIDIA Container Toolkit up to 1.17.7 and the NVIDIA GPU Operator up to 25.3.0, with patches released in versions 1.17.8 and 25.3.1 respectively. The toolkit is widely used to build and run GPU-accelerated Docker containers, while the GPU Operator automates deployment of these containers on GPU nodes within Kubernetes clusters.
“NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions,” NVIDIA stated in an advisory. “A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service.”
According to Wiz’s analysis published on Thursday, the flaw exists due to a misconfiguration in how the toolkit handles the Open Container Initiative (OCI) hook called “createContainer.” This vulnerability enables attackers to achieve full server takeover using a remarkably simple exploit involving just a three-line Dockerfile.
“By setting LD_PRELOAD in their Dockerfile, an attacker could instruct the nvidia-ctk hook to load a malicious library,” explained Wiz researchers Nir Ohfeld and Shir Tamari. “Making matters worse, the createContainer hook executes with its working directory set to the container’s root filesystem. This means the malicious library can be loaded directly from the container image with a simple path, completing the exploit chain.”
Wiz highlighted that this flaw affects approximately 37% of cloud environments, potentially allowing attackers to access or manipulate sensitive data and proprietary AI models of other customers sharing the same hardware.
The disclosure follows recent reports by Wiz of other high-severity vulnerabilities in NVIDIA’s Container Toolkit that could also enable complete host takeover. Emphasizing the ongoing risks, Wiz commented, “While the hype around AI security risks tends to focus on futuristic, AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate threat that security teams should prioritize.”
The firm also warned that “containers are not a strong security barrier and should not be relied upon as the sole means of isolation,” advising developers to “assume a vulnerability” and implement additional security layers such as virtualization, especially in multi-tenant environments.
