Researchers at cloud security specialist Wiz have discovered a critical vulnerability in Nvidia’s Container Toolkit and warned that it can pose a serious threat to managed AI cloud services.
The vulnerability has been dubbed NVIDIAScape and is officially tracked as CVE-2025-23266. The flaw was demonstrated earlier this year at the Pwn2Own Berlin hacking competition by Wiz researchers, who earned $30,000 for their exploit.
Nvidia informed customers about the vulnerability and the availability of a patch in an advisory published last week. The vendor says this critical vulnerability (CVSS score of 9.0) can allow privilege escalation, information disclosure, data tampering and DoS attacks.
The Nvidia Container Toolkit is designed for building and running GPU-accelerated containers, and Wiz says it’s often used by major cloud providers for managed AI services.
According to Wiz, CVE-2025-23266 is caused by a misconfiguration related to the handling of Open Container Initiative (OCI) hooks, which enable users to define and execute actions at specified points in a container’s lifecycle.
The biggest risk is in the case of managed AI cloud services that allow users to run their own containers on shared GPU infrastructure.
The NVIDIAScape vulnerability can be exploited by a malicious container to bypass isolation and gain full root access to the host machine. From the host machine the threat actor may be able to steal or manipulate sensitive data and proprietary AI models of all the other customers using the same hardware.
Wiz has shared technical details on the vulnerability and showed how it can be exploited with a malicious payload and a three-line Docker file placed inside a container image.
“This research highlights, not for the first time, that containers are not a strong security barrier and should not be relied upon as the sole means of isolation,” Wiz warned. “When designing applications, especially for multi-tenant environments, one should always ‘assume a vulnerability’ and implement at least one strong isolation barrier, such as virtualization.”
Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks
Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw