- Nvidia confirms a new error in Container Toolkit and GPU operator
- The error allows malicious actors to perform code external
- A solution was already inserted so patch now
Nvidia Container Toolkit to Linux, a set of tools that allow DEVS to build and run GPU accelerated containers using docker or other container operating times, carrying a vulnerability that allows threat actors to access the host file system and thus perform malicious code Remove to run denial of service attacks, escalate privileges, steal sensitive information, or manipulate the victim’s data.
The company confirmed the news in a security advice and noticed both NVIDIA Container Toolkit and the NVIDIA GPU operator (a Kubernetes-native solution that automates the implementation, control and monitoring of NVIDIA GPU resources in a Kubernetes cluster) is vulnerable to the mistake that is traced as a trace as a trace as a trace as a trace that CVE-2025-23359.
It was awarded a severity of 8.3 and is said to affect all versions of container Toolkit up to and including 1.17.3, and all versions up to and including 24.9.1 of the GPU operator.
Patch bypass
Bugs were fixed in versions 1.17.4 and 24.9.2. It is also worth mentioning that the error is only present on Linux and does not affect use cases where CDI is used.
CyberSecurity scientists from WIZ claim that this is actually a bypass for another vulnerability. Apparently, the previous error is traced like CVE-2024-0132 and has a 9.0 difficulty, making it critical as it could allow malicious actors to mount the host’s root file system to a container, giving them free access to almost everything. In addition, access can be used to launch privileged containers and obtain full host comedy.
Nvidia says the question was resolved in September 2024, and to tackle the problem, users are advised to use the released patches and make sure not to disable the “-nin-cntlibs” flag in production environments, it was said.
Via Hacker the news
