Cybersecurity researchers have uncovered a critical security flaw in the NVIDIA Container Toolkit. Revealing that a previously patched vulnerability remains exploitable — posing serious risks to containerized environments and host systems.
The issue centers on CVE-2024-0132, a Time-of-Check to Time-of-Use (TOCTOU) vulnerability that was initially patched by NVIDIA in September 2024. The flaw, which received a CVSS score of 9.0, could allow attackers to break out of container isolation and access the underlying host.
However, new analysis from Trend Micro shows that the fix was incomplete — and that the vulnerability can still be bypassed under specific conditions. The re-emergence of the issue has been assigned a new identifier: CVE-2025-23359, also rated 9.0 in severity.
Incomplete Nvidia Patch Enables Container Escape
The vulnerability impacts NVIDIA Container Toolkit version 1.17.4, specifically when the feature allow-cuda-compat-libs-from-container is enabled. According to Trend Micro researcher Abdelrahman Esmail, the flaw resides in the mount_files function, which lacks proper locking mechanisms.
This oversight allows a specially crafted container to manipulate file operations at the right moment, potentially escaping isolation and executing arbitrary code on the host system with root privileges.
While attackers must already have code execution access within a container, the ability to escalate privileges and compromise the host makes this a serious threat in shared or untrusted container environments. “These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions,” Esmail warned.
The vulnerability was first flagged as a bypass to CVE-2024-0132 by cloud security firm Wiz in February 2025. NVIDIA addressed the issue in the latest 1.17.4 release, but only when configured correctly. Organisations that rely on GPU compatibility features within containers may be unknowingly exposed.
Docker Performance Flaw Could Lead to DoS
Trend Micro’s investigation also uncovered a related performance issue affecting Docker on Linux systems, which could trigger a denial-of-service (DoS) condition.
The problem arises when multiple mounts are created with bind-propagation=shared — a configuration used for container volume sharing. If not properly cleaned up, these mounts leave residual entries in the Linux mount table, even after the container is terminated.
Over time, this results in:
- Uncontrolled mount table growth
- Exhaustion of file descriptors
- System performance degradation
- Inability to create new containers
- Loss of remote access (e.g., via SSH)
Esmail noted: “This excessively large mount table leads to a huge performance issue, preventing users from connecting to the host.”
Mitigation Strategies for Sysadmins
To reduce the risk of exploitation and performance issues, security experts recommend the following best practices:
- Monitor the Linux mount table for abnormal growth
- Restrict Docker API access to trusted administrators only
- Implement strong access controls for container creation
- Audit container-to-host volume mounts and socket bindings
- Update to NVIDIA Container Toolkit 1.17.4 and ensure secure configuration of CUDA compatibility features
With containerized workloads increasingly running production-level AI and GPU-accelerated applications, ensuring that isolation boundaries are secure and resilient is more critical than ever.
As container security evolves, incomplete patches like this serve as a reminder that security doesn’t end at the patch — it continues with configuration, monitoring, and proactive threat modeling.
