Recent cybersecurity research has uncovered an incomplete patch associated with a previously identified vulnerability in the NVIDIA Container Toolkit. This oversight poses significant risks, potentially exposing sensitive data to exploitation if targeted by malicious actors.
Initially reported as CVE-2024-0132, this critical vulnerability, which has a CVSS score of 9.0, is classified as a Time-of-Check Time-of-Use (TOCTOU) flaw. The vulnerability allows for the possibility of a container escape, granting unauthorized access to the host system. Although NVIDIA released a resolution in September 2024, Trend Micro’s latest analysis indicates that the fix fails to address all aspects of the flaw, leaving room for further exploitation.
In addition to the original vulnerability, the analysis has identified a performance issue affecting Docker on Linux, potentially leading to a denial-of-service (DoS) scenario. This performance flaw could disrupt operations, amplifying the risk associated with NVIDIA’s toolkit.
According to Abdelrahman Esmail, a researcher at Trend Micro, these compounded issues could enable attackers to bypass container isolation, access critical host resources, and induce serious operational interruptions. The persistence of the TOCTOU vulnerability means that an attacker with a specially crafted container could exploit it to gain access to the host file system and execute arbitrary commands at elevated privileges. This issue specifically impacts version 1.17.4 when the allow-cuda-compat-libs-from-container feature is enabled.
Trend Micro elaborated on the vulnerability, pinpointing an issue within the mount_files function that stems from improper locking during object operations. Attackers can leverage this weakness to escalate privileges and execute code within the host’s context, further elevating the threat level.
To fully exploit this vulnerability, however, an attacker must first gain the capability to execute code within a container. This escalation has been categorized as CVE-2025-23359, with a CVSS score of 9.0, which cloud security firm Wiz previously highlighted as a bypass for CVE-2024-0132, back in February 2025. This issue was acknowledged and addressed in version 1.17.4 of the toolkit.
The analysis also brought to light a significant performance degradation issue triggered by the creation of new containers with multiple mounts configured using bind-propagation set to shared. This flaw results in the accumulation of entries in the Linux mount table even after container termination, causing a rapid increase that can exhaust available file descriptors, ultimately leading to DoS conditions when Docker attempts to create new containers.
To mitigate these vulnerabilities, cybersecurity experts recommend monitoring the Linux mount table for unusual growth patterns, restricting Docker API access to authorized users, enforcing stringent access controls, and conducting regular audits of filesystem bindings and mount configurations. Implementing these measures will help organizations enhance their resilience against potential exploits targeting the NVIDIA Container Toolkit.
