Security researchers at Wiz have uncovered a critical vulnerability (CVE-2024-0132) in NVIDIA's Container Toolkit that could allow attackers to escape container isolation and gain full access to host systems.
The vulnerability, which affects containerized AI applications both in cloud environments and on-premises, poses significant risks to data security and infrastructure.
The research team discovered a Time of Check/Time of Use (TOC/TOU) vulnerability in how NVIDIA's Container Toolkit mounts files into containers.
This security flaw enables malicious actors controlling a container image to break out of the container's isolation and access the host system's root filesystem, potentially compromising sensitive data and infrastructure.
"The vulnerability enables a malicious adversary to mount the host's root filesystem into a container, granting unrestricted access to all of the host's files," explained Wiz researchers in their detailed technical analysis.
.webp "NVIDIA Container Toolkit")
The team demonstrated that attackers could leverage this access to launch privileged containers and achieve full host compromise.
The vulnerability's impact on multi-tenant environments is particularly concerning, where multiple customers share the same Kubernetes cluster. The research revealed that the vulnerability could lead to complete cluster compromise in some cases, affecting multiple tenants simultaneously.
The issue also affects Google's gVisor, which is widely considered the standard for container isolation.
While gVisor supports the NVIDIA Container Toolkit for GPU containers, researchers confirmed it remains vulnerable to this exploit, though some Linux distributions may require modified exploitation techniques.
NVIDIA has addressed these security concerns in version 1.17.4 of the Container Toolkit. The company recommends two critical mitigation steps: updating to the latest version and maintaining the --no-cntlibs flag enabled in production environments.
The flaw highlights the complexities of container security implementation. As noted in the research, "Even developers with deep experience in Linux security can miss or misconfigure key protections, leaving systems vulnerable to critical exploits. The layered nature of container isolation means that a single overlooked detail can have significant security implications."
Wiz researchers emphasize that containers alone should not be relied upon as the primary security barrier, recommending additional isolation measures such as virtualization, particularly for multi-tenant applications.
The vulnerability has been patched in collaboration with NVIDIA's PSIRT team, who worked closely with Wiz researchers to ensure the original vulnerability and a subsequent bypass (tracked as CVE-2025-23359) were correctly addressed.