CVE-2024-0136
Published: 28 January 2025
Description
NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code obtaining read and write access to host devices. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Security Summary
CVE-2024-0136 is an improper isolation vulnerability in the NVIDIA Container Toolkit, where a specially crafted container image can enable untrusted code to obtain read and write access to host devices. This issue affects the NVIDIA Container Toolkit only when configured in a nondefault manner. Classified under CWE-653, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-01-28.
Exploitation requires an attacker with high privileges (PR:H) to deliver a malicious container image over the network (AV:N), involving high attack complexity (AC:H) and user interaction (UI:R). Successful attacks can result in arbitrary code execution, denial of service, privilege escalation, information disclosure, and data tampering on the host system, with significant impact across confidentiality, integrity, and availability in a scoped manner (S:C).
The official NVIDIA security bulletin provides details on mitigation, available at https://nvidia.custhelp.com/app/answers/detail/a_id/5599. Security practitioners should review this advisory for patching instructions and configuration guidance to address the nondefault setups affected by this vulnerability.
Details
- CWE(s)