Despite a previous fix, a critical vulnerability in the NVIDIA Container Toolkit has resurfaced, exposing containerized environments to potential privilege escalation and host-level compromise. The issue lies in an incomplete patch for a severe Time-of-Check Time-of-Use (TOCTOU) flaw—CVE-2024-0132—which still leaves systems open to container escape attacks.

🛠️ Background on CVE-2024-0132

Initially patched in September 2024, CVE-2024-0132 (CVSS: 9.0) is a classic TOCTOU race condition, where an attacker can exploit the time gap between a system checking a condition and using the result of that check—opening the door for malicious race-based privilege escalations. In this case, the attack vector allowed unauthorized access to the host from within a container.

However, new research by Trend Micro reveals that the patch was incomplete, and attackers can still bypass container isolation if specific features are enabled.

⚠️ New Variant: CVE-2025-23359

Trend Micro's security research uncovered a new, related vulnerability—CVE-2025-23359 (CVSS: 9.0)—which acts as a bypass for the original flaw. This vulnerability affects NVIDIA Container Toolkit version 1.17.4, particularly when the configuration flag allow-cuda-compat-libs-from-container is explicitly enabled.

The vulnerability lies in the mount_files function, where a lack of proper locking during mount operations allows attackers to exploit race conditions. A malicious container can leverage this to:

Escape the container environment
Access the host’s file system
Execute arbitrary code as root

🔐 "These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions." — Abdelrahman Esmail, Trend Micro

🧱 Prerequisites for Exploitation

It’s important to note that exploitation requires the attacker to already have access to execute code inside a container—making this a post-compromise privilege escalation. However, in shared or multi-tenant environments, this scenario is highly plausible and dangerous.

🐌 Performance Bottleneck Leading to DoS

While analyzing the TOCTOU issue, researchers also found a performance-related vulnerability affecting Docker on Linux, potentially leading to Denial-of-Service (DoS):

When containers are launched with bind-propagation=shared and terminated, their mount entries are not cleaned up from the Linux mount table.
Over time, this causes mount table bloat, exhausts file descriptors (FDs), and prevents new container creation.
Eventually, the system may become unresponsive to remote logins (e.g., SSH).

🧠 "This leads to a rapid and uncontrollable growth of the mount table... Docker becomes unable to create new containers due to fd exhaustion." — Esmail

🛡️ Mitigation & Defense Recommendations

To mitigate the threat posed by CVE-2025-23359 and the related DoS condition:

✅ Update to the latest version of NVIDIA Container Toolkit.
🔐 Restrict Docker API access to trusted users only.
🧾 Perform regular audits of:
- Filesystem bindings
- Volume mounts
- Host socket connections
📊 Monitor for abnormal Linux mount table growth.
🧰 Apply strong access control policies across container environments.

💡 Final Thoughts

This case is yet another reminder that patching isn’t always the end of the story. Incomplete or superficial fixes can leave critical systems vulnerable—especially in high-privilege, containerized environments. Container security is complex, and organizations must ensure defense-in-depth by combining patching with vigilant runtime monitoring and least privilege access.

Stay tuned to Blackout Protocol as we continue to track container security threats, emerging CVEs, and in-depth technical analysis of real-world vulnerabilities.

Let me know if you'd like a cover image for this post or want to schedule it for auto-publishing to your Hashnode blog.

🚨 Incomplete NVIDIA Patch Leaves CVE-2024-0132 Open to Container Escape Exploits