CVE-2025-23359
Published: 12 February 2025
Description
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Security Summary
CVE-2025-23359, published on 2025-02-12, is a Time-of-Check Time-of-Use (TOCTOU) vulnerability (CWE-367) in the NVIDIA Container Toolkit for Linux when used with its default configuration. A crafted container image can exploit this flaw to gain unauthorized access to the host file system. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Attackers can exploit this vulnerability remotely without privileges, though it requires high attack complexity and user interaction, such as convincing a user to deploy or pull a malicious container image. Successful exploitation grants access to the host file system, potentially enabling arbitrary code execution, denial of service, privilege escalation, information disclosure, and data tampering.
NVIDIA's security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5616 provides details on patches and mitigations. Additional coverage, including discussion of an incomplete patch, is available at https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html.
Details
- CWE(s)