Nvidia systems could be facing another worrying security flaw

News
By published

Bypass for a previous Nvidia fix has been discovered

Digital image of a lock.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Nvidia confirms a new bug in Container Toolkit, and GPU Operator
  • The bug allows malicious actors to execute code remotely
  • A fix was already deployed, so patch now

The Nvidia Container Toolkit for Linux, a set of tools that allows devs to build and run GPU-accelerated containers using Docker, or other container runtimes, carries a vulnerability that allows threat actors to gain access to the host file system and thus execute malicious code remotely, run denial of service attacks, escalate privileges, steal sensitive information, or tamper with the victim’s data.

The company confirmed the news in a security advisory, noting both the Nvidia Container Toolkit, and Nvidia GPU Operator (a Kubernetes-native solution that automates the deployment, management, and monitoring of Nvidia GPU resources in a Kubernetes cluster) are vulnerable to the bug which is being tracked as CVE-2025-23359.

It was assigned a severity score of 8.3, and was said to affect all versions of Container Toolkit up to and including 1.17.3, and all versions up to and including 24.9.1 of GPU Operator.

Patch bypass

The bugs were fixed in versions 1.17.4 and 24.9.2 respectively. It is also worth mentioning that the flaw is only present on Linux, and does not impact use cases where CDI is used.

Cybersecurity researchers from Wiz claim this is actually a bypass for another vulnerability. Apparently, the previous bug is tracked as CVE-2024-0132, and has a 9.0 severity score, making it critical, as it could allow malicious actors to mount the host's root file system into a container, granting them free access to virtually anything. What’s more, the access can be used to launch privileged containers and achieve full host compromise.

Nvidia says the issue was fixed in September 2024, and to address the issue, users are advised to apply the released patches, and make sure not to disable the "--no-cntlibs" flag in production environments, it was said.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Latest in Security
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
Latest in News
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in new thrilling F1 trailer
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
More about security
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.

AI agents can be hijacked to write and send phishing attacks
China

Juniper patches security flaws which could have let hackers take over your router
The small Anker charging station is balanced on its front edge. The word Anker is printed on the front of the charger, which is also the back of the watch charging module.

This little fold-up MagSafe charging station is my new top pick for every trip
See more latest
Most Popular
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in new thrilling F1 trailer
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Nvidia RTX 6000
Details of Nvidia's fastest video card ever leak; RTX Pro 6000 Blackwell GPU will have 96GB GDDR7 ECC memory
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
Hasselblad X2D 100C camera in user's hand, their blue jacket in background
My dream Hasselblad camera is getting a sequel soon, according to new leaks – here are 5 upgrades I’m hoping for
Harry Halpin, CEO and co-founder of Nym Technologies, and Chelsea Manning, Nym Technlogies' security consultant, on stage at the Frontline Club in London during the NymVPN launch on March 13, 2025.
NymVPN is now live – here's everything you need to know
Sony UBP-X700/K shown from the front
Sony launches new version of the best cheap 4K Blu-ray player that drops the streaming tech – but the price looks odd
Ethernet cables with IP addresses in the background
You can now use an IPv4 address as business collateral - and it could be worth millions
Close-up of woman using AirPods Pro 2
AirPods could catch up with Samsung buds with a live translation free upgrade in iOS 19