CVE-2025-23359: NVIDIA Container Toolkit Flaw Could Lead to Code Execution and Denial of Service
do son 
NVIDIA has released a security update to address a high-severity vulnerability in its Container Toolkit for Linux and GPU Operator. The vulnerability, identified as CVE-2025-23359 and assigned a CVSS base score of 8.3, could allow attackers to gain access to the host file system, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
The NVIDIA Container Toolkit enables developers to build and run GPU-accelerated applications within containers. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) flaw that can be exploited by a crafted container image to gain unauthorized access to the host system.
“NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system,” the security bulletin explains.
The CVE-2025-23359 vulnerability affects all versions of the NVIDIA Container Toolkit for Linux up to and including 1.17.3 and all versions of the NVIDIA GPU Operator up to and including 24.9.1. To mitigate this vulnerability, NVIDIA has released updated versions of the affected software. Users are urged to upgrade to NVIDIA Container Toolkit version 1.17.4 or later and NVIDIA GPU Operator version 24.9.2 or later.
This vulnerability does not affect use cases where CDI is used. However, the fix for this vulnerability changes the default behavior of the NVIDIA Container Toolkit. By default, the NVIDIA CUDA compatibility libraries from /usr/local/cuda/compat in the container are no longer mounted to the default library path in the container being run. This may affect certain applications that depend on this behavior.
A feature flag, allow-cuda-compat-libs-from-container, was included in the NVIDIA Container Toolkit to allow users to opt-in to the previous behavior if required. However, NVIDIA warns that “Opting-in to the previous behavior will remove protection against this vulnerability and is not recommended.”
Users of the NVIDIA Container Toolkit and GPU Operator should prioritize updating to the latest versions to protect their systems from potential attacks.
