Nvidia systems could be facing another worrying security flaw

Digital image of a lock.
Image Credit: Shutterstock (Image credit: Shutterstock)

  • Nvidia confirms a new bug in Container Toolkit, and GPU Operator
  • The bug allows malicious actors to execute code remotely
  • A fix was already deployed, so patch now

The Nvidia Container Toolkit for Linux, a set of tools that allows devs to build and run GPU-accelerated containers using Docker, or other container runtimes, carries a vulnerability that allows threat actors to gain access to the host file system and thus execute malicious code remotely, run denial of service attacks, escalate privileges, steal sensitive information, or tamper with the victim’s data.

The company confirmed the news in a security advisory, noting both the Nvidia Container Toolkit, and Nvidia GPU Operator (a Kubernetes-native solution that automates the deployment, management, and monitoring of Nvidia GPU resources in a Kubernetes cluster) are vulnerable to the bug which is being tracked as CVE-2025-23359.

It was assigned a severity score of 8.3, and was said to affect all versions of Container Toolkit up to and including 1.17.3, and all versions up to and including 24.9.1 of GPU Operator.

Patch bypass

The bugs were fixed in versions 1.17.4 and 24.9.2 respectively. It is also worth mentioning that the flaw is only present on Linux, and does not impact use cases where CDI is used.

Cybersecurity researchers from Wiz claim this is actually a bypass for another vulnerability. Apparently, the previous bug is tracked as CVE-2024-0132, and has a 9.0 severity score, making it critical, as it could allow malicious actors to mount the host's root file system into a container, granting them free access to virtually anything. What’s more, the access can be used to launch privileged containers and achieve full host compromise.

Nvidia says the issue was fixed in September 2024, and to address the issue, users are advised to apply the released patches, and make sure not to disable the "--no-cntlibs" flag in production environments, it was said.

Via The Hacker News

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments