Serious Nvidia Toolkit Vulnerability Puts AI Cloud Services at Risk of Hacking

A significant security vulnerability, dubbed NVIDIAScape (CVE-2025-23266), has been uncovered in NVIDIA's Container Toolkit, posing a serious threat to managed AI cloud services. Discovered by researchers at Wiz, a Google-owned cloud security specialist, this critical flaw could allow attackers to gain full root access to host machines, potentially compromising sensitive data and proprietary AI models belonging to multiple customers.

The NVIDIA Container Toolkit is essential for building and running GPU-accelerated containers, a cornerstone of many major cloud providers' managed AI services. This widespread use makes the NVIDIAScape vulnerability particularly concerning. Wiz researchers demonstrated the exploit earlier this year at the Pwn2Own Berlin hacking competition, earning $30,000 for their efforts and highlighting the severity of the issue.

NVIDIA has already acknowledged the flaw, which carries a critical CVSS score of 9.0, and has released an advisory informing customers about available patches. The company warns that this vulnerability can lead to privilege escalation, information disclosure, data tampering, and Denial-of-Service (DoS) attacks.

At its core, CVE-2025-23266 stems from a misconfiguration in how the NVIDIA Container Toolkit handles Open Container Initiative (OCI) hooks. These hooks are designed to allow users to define and execute actions at specific points during a container's lifecycle. However, this misconfiguration creates an opening for malicious containers to bypass isolation measures.

The most significant risk lies within managed AI cloud services that permit users to run their own containers on shared GPU infrastructure. In such environments, a malicious container leveraging the NVIDIAScape vulnerability could bypass the intended isolation, granting the attacker complete root access to the underlying host machine. From there, a threat actor could potentially steal or manipulate sensitive data and proprietary AI models belonging to any other customer utilising the same hardware.

Wiz has provided technical details of the vulnerability, illustrating how it can be exploited with a simple malicious payload and a three-line Docker file placed within a container image. This discovery reinforces a crucial security principle: containers, while powerful, are not an impenetrable security barrier.

As Wiz emphasised in their warning, "containers are not a strong security barrier and should not be relied upon as the sole means of isolation." They advocate for a "assume a vulnerability" mindset when designing applications, particularly for multi-tenant environments, stressing the importance of implementing at least one robust isolation barrier, such as virtualization, in addition to containerization.

What steps are you taking to ensure robust isolation in your cloud environments beyond just containerisation?