Shir Tamari

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit versions up to 1.17.7 GPU Operator versions up to 25.3.0 NVIDIA Container Toolkit versions 1.17.8 and 25.3.1 are fixed. **Description** A critical vulnerability (CVE-2025-23266), dubbed “NVIDIAScape”, exists in the NVIDIA Container Toolkit and GPU Operator. This vulnerability allows attackers to escape containers and potentially gain root access on the host system. The flaw is due to a misconfiguration related to the handling of Open Container Initiative (OCI) hooks. Exploitation can be achieved with a simple three-line Dockerfile. Approximately 37% of cloud services are estimated to be affected. Successful exploitation could lead to privilege escalation, information disclosure, data tampering, and denial of service. **Recommendations** NVIDIA Container Toolkit versions prior to 1.17.8 are vulnerable. GPU Operator versions prior to 25.3.1 are vulnerable.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit versions up to and including 1.17.3 NVIDIA GPU Operator versions up to and including 24.9.1 **Description** NVIDIA Container Toolkit and NVIDIA GPU Operator are affected by a Time-of-Check Time-of-Use (TOCTOU) vulnerability. This flaw can allow a crafted container image to gain access to the host file system, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. A bypass was discovered for a previously patched security flaw, reflagged as CVE-2025-23359. The vulnerability exists due to errors in synchronization when using a shared resource, creating a race condition. **Recommendations** NVIDIA Container Toolkit versions up to and including 1.17.3: Upgrade to a newer version to address the vulnerability. NVIDIA GPU Operator versions up to and including 24.9.1: Upgrade to a newer version to address the vulnerability.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit versions are affected, but specific versions are not provided in the input data. **Description** The issue is related to an improper isolation vulnerability where a specially crafted container image could lead to modification of a host binary. A successful exploit may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The "GET /api/v1/status/{job id}" and "POST /api/v1/search" API endpoints are mentioned, with the `job id` variable and `Content-Type` being relevant. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** Since specific affected versions of NVIDIA Container Toolkit are not provided, a general recommendation based on the available data is to apply the latest security update released by NVIDIA for its Container Toolkit and GPU Operator to address the critical vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit (affected versions not specified) **Description** The NVIDIA Container Toolkit contains an improper isolation vulnerability. A specially crafted container image could lead to untrusted code running in the host’s network namespace. This issue is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit may lead to denial of service and escalation of privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit (affected versions not specified) **Description** The NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code obtaining read and write access to host devices. This issue is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit versions prior to the fixed version NVIDIA GPU Operator versions prior to the fixed version **Description** The issue is related to errors in processing symbolic links, which can be exploited by a remote attacker to impact data integrity. A specially crafted container image can lead to the creation of unauthorized files on the host, although the name and location of these files cannot be controlled by the attacker. This might result in data tampering. **Recommendations** For NVIDIA Container Toolkit versions prior to the fixed version, update to the latest version as outlined in the remediation guide. For NVIDIA GPU Operator versions prior to the fixed version, update to the latest version as outlined in the remediation guide. As a temporary workaround, consider restricting access to the vulnerable components until a patch is available. Review security configurations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Container Toolkit versions 1.16.1 or earlier **Description** The issue is related to the default mode of operation in NVIDIA Container Toolkit, allowing a specially crafted container image to create empty files on the host file system. This vulnerability does not impact use cases where CDI is used. A successful exploit may lead to data tampering. The vulnerability is also associated with a null pointer dereference due to concurrent access to a resource, potentially allowing a remote attacker to modify arbitrary data by using a specially crafted container image. **Recommendations** For NVIDIA Container Toolkit versions 1.16.1 or earlier, consider updating to a version that contains a fix for this issue, as no specific workaround is provided in the given information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ubuntu kernels (affected versions not specified) **Description** The issue is related to a local privilege escalation vulnerability in Ubuntu kernels, specifically in the overlayfs `ovl copy up meta inode data` function, which skips permission checks when calling `ovl do setxattr`. This allows an attacker to execute arbitrary code or cause a denial of service. The vulnerability has been exploited in real-world incidents to achieve easy root access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs" **Description** The issue is related to the overlayfs file system in Ubuntu kernels, where an unprivileged user may set privileged extended attributes on mounted files without proper security checks, potentially leading to arbitrary code execution or denial of service. This is due to a missing authorization check in the overlayfs file system. **Recommendations** As a temporary workaround, consider disabling the overlayfs file system until a patch is available. Restrict access to the mounted files to minimize the risk of exploitation. Avoid using privileged extended attributes on the mounted files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Management Infrastructure (OMI) (affected versions not specified) **Description** The issue is related to a remote code execution vulnerability in the Open Management Infrastructure (OMI) agent, which is installed by default in Linux environments on Microsoft Azure. This vulnerability, also known as OMIGOD, allows an attacker to execute arbitrary code with root privileges. The problem is present in the OMI Agent application, which is installed without the user's knowledge. The estimated number of potentially affected devices worldwide is not specified, but it is mentioned that the vulnerability affects countless Azure customers. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Management Infrastructure (OMI) (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability in Open Management Infrastructure (OMI). It is associated with inadequate access controls in OMI extensions for managing Azure virtual machines. Exploitation of this issue may allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Management Infrastructure (OMI) versions (affected versions not specified) **Description** The issue is related to insufficient access controls in the Open Management Infrastructure (OMI) extensions for managing Azure virtual machines, allowing an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Management Infrastructure (OMI) (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability in Open Management Infrastructure (OMI), which is associated with inadequate access control. This vulnerability can be exploited to allow an attacker to escalate their privileges. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.