PT-2025-6424 · Nvidia · Nvidia Container Toolkit

Andres Riancho

+4

·

Published

2025-02-11

·

Updated

2025-07-16

·

CVE-2025-23359

CVSS v3.1
8.3
VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

**Name of the Vulnerable Software and Affected Versions:**

NVIDIA Container Toolkit versions up to and including 1.17.3

NVIDIA GPU Operator versions up to and including 24.9.1

**Description:**

NVIDIA Container Toolkit and NVIDIA GPU Operator are affected by a Time-of-Check Time-of-Use (TOCTOU) vulnerability. This flaw can allow a crafted container image to gain access to the host file system, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. A bypass was discovered for a previously patched security flaw, reflagged as CVE-2025-23359. The vulnerability exists due to errors in synchronization when using a shared resource, creating a race condition.

**Recommendations:**

NVIDIA Container Toolkit versions up to and including 1.17.3: Upgrade to a newer version to address the vulnerability.

NVIDIA GPU Operator versions up to and including 24.9.1: Upgrade to a newer version to address the vulnerability.

Exploit

Fix

LPE

DoS

Time Of Check To Time Of Use

Weakness Enumeration

CWE-367

Related Identifiers

BDU:2025-02018
CVE-2025-23359
ZDI-25-087

Affected Products

Nvidia Container Toolkit