CVE-2024-0135

CVE-2024-0135 is an improper isolation vulnerability in the NVIDIA Container Toolkit. The issue arises when a specially crafted container image can lead to modification of a host binary. Successful exploitation may result in code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The vulnerability is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-653.

An attacker requires high privileges (PR:H) on the target system and must convince a user to interact with a malicious container image (UI:R), such as loading or running it. The attack is feasible over the network (AV:N) but involves high complexity (AC:H). Exploitation changes the scope (S:C) and can achieve high impacts on confidentiality, integrity, and availability, including arbitrary code execution on the host and privilege escalation beyond the container's isolation.

NVIDIA has published a security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5599 detailing the vulnerability, which was disclosed on 2025-01-28. Practitioners should consult this advisory for patch information and mitigation guidance.