{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23359", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2025-01-14T01:07:26.681Z", "datePublished": "2025-02-12T00:52:43.646Z", "dateUpdated": "2025-04-11T13:24:14.643Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Container Toolkit", "vendor": "NVIDIA", "versions": [{"status": "affected", "version": "All versions up to and including 1.17.3"}]}, {"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "GPU Operator", "vendor": "NVIDIA", "versions": [{"status": "affected", "version": "All versions up to and including 24.9.1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.</span>"}], "value": "NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, denial of service, escalation of privileges, information disclosure, data tampering"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2025-02-12T00:52:43.646Z"}, "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5616"}], "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>This vulnerability does not impact use cases where CDI is used.</div><div><br>The fix for this vulnerability changes the default behavior of the NVIDIA Container Toolkit. By default the NVIDIA CUDA compatibility libraries from /usr/local/cuda/compat in the container are no longer mounted to the default library path in the container being run. This may affect certain applications that depend on this behavior.</div><div><br>A feature flag, allow-cuda-compat-libs-from-container was included in the NVIDIA Container Toolkit to allow users to opt-in to the previous behavior if required.<br>Warning: Opting-in to the previous behavior will remove protection against this vulnerability and is not recommended.</div><div><br>To set the feature flag ensure that the NVIDIA Container Toolkit config file at /etc/nvidia-container-runtime/config.toml includes:<br><br>[features]<br>&nbsp; allow-cuda-compat-libs-from-container = true</div><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><div>Setting the value above to false or removing the config file entry will disable the feature.</div><div><br>In the case of the NVIDIA GPU Operator the feature flag can be set by including the following in the NVIDIA GPU Operator helm install command:</div><div>--set \"toolkit.env[0].name=NVIDIA_CONTAINER_TOOLKIT_OPT_IN_FEATURES\" --set \"toolkit.env[0].value=allow-cuda-compat-libs-from-container\"</div><div>&nbsp;</div><div>For users who know that their application needs CUDA Forward Compatibility the following workaround can be used:</div><div><br>Setting the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat</div><div><br>This may cause portability issues for some containers when running across multiple driver versions \u2013 especially when these are more recent than the compatibility libraries in the container.</div>\n\n<br>"}], "value": "This vulnerability does not impact use cases where CDI is used.\n\n\nThe fix for this vulnerability changes the default behavior of the NVIDIA Container Toolkit. By default the NVIDIA CUDA compatibility libraries from /usr/local/cuda/compat in the container are no longer mounted to the default library path in the container being run. This may affect certain applications that depend on this behavior.\n\n\nA feature flag, allow-cuda-compat-libs-from-container was included in the NVIDIA Container Toolkit to allow users to opt-in to the previous behavior if required.\nWarning: Opting-in to the previous behavior will remove protection against this vulnerability and is not recommended.\n\n\nTo set the feature flag ensure that the NVIDIA Container Toolkit config file at /etc/nvidia-container-runtime/config.toml includes:\n\n[features]\n\u00a0 allow-cuda-compat-libs-from-container = true\n\n\u00a0Setting the value above to false or removing the config file entry will disable the feature.\n\n\nIn the case of the NVIDIA GPU Operator the feature flag can be set by including the following in the NVIDIA GPU Operator helm install command:\n\n--set \"toolkit.env[0].name=NVIDIA_CONTAINER_TOOLKIT_OPT_IN_FEATURES\" --set \"toolkit.env[0].value=allow-cuda-compat-libs-from-container\"\n\n\u00a0\n\nFor users who know that their application needs CUDA Forward Compatibility the following workaround can be used:\n\n\nSetting the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat\n\n\nThis may cause portability issues for some containers when running across multiple driver versions \u2013 especially when these are more recent than the compatibility libraries in the container."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html", "tags": ["media-coverage", "exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T13:20:19.602945Z", "id": "CVE-2025-23359", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T13:24:14.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23359", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-11T13:20:19.602945Z"}}}], "references": [{"url": "https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html", "tags": ["media-coverage", "exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:59:37.487Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, denial of service, escalation of privileges, information disclosure, data tampering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "Container Toolkit", "versions": [{"status": "affected", "version": "All versions up to and including 1.17.3"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}, {"vendor": "NVIDIA", "product": "GPU Operator", "versions": [{"status": "affected", "version": "All versions up to and including 24.9.1"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5616"}], "workarounds": [{"lang": "en", "value": "This vulnerability does not impact use cases where CDI is used.\n\n\nThe fix for this vulnerability changes the default behavior of the NVIDIA Container Toolkit. By default the NVIDIA CUDA compatibility libraries from /usr/local/cuda/compat in the container are no longer mounted to the default library path in the container being run. This may affect certain applications that depend on this behavior.\n\n\nA feature flag, allow-cuda-compat-libs-from-container was included in the NVIDIA Container Toolkit to allow users to opt-in to the previous behavior if required.\nWarning: Opting-in to the previous behavior will remove protection against this vulnerability and is not recommended.\n\n\nTo set the feature flag ensure that the NVIDIA Container Toolkit config file at /etc/nvidia-container-runtime/config.toml includes:\n\n[features]\n\u00a0 allow-cuda-compat-libs-from-container = true\n\n\u00a0Setting the value above to false or removing the config file entry will disable the feature.\n\n\nIn the case of the NVIDIA GPU Operator the feature flag can be set by including the following in the NVIDIA GPU Operator helm install command:\n\n--set \"toolkit.env[0].name=NVIDIA_CONTAINER_TOOLKIT_OPT_IN_FEATURES\" --set \"toolkit.env[0].value=allow-cuda-compat-libs-from-container\"\n\n\u00a0\n\nFor users who know that their application needs CUDA Forward Compatibility the following workaround can be used:\n\n\nSetting the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat\n\n\nThis may cause portability issues for some containers when running across multiple driver versions \u2013 especially when these are more recent than the compatibility libraries in the container.", "supportingMedia": [{"type": "text/html", "value": "<div>This vulnerability does not impact use cases where CDI is used.</div><div><br>The fix for this vulnerability changes the default behavior of the NVIDIA Container Toolkit. By default the NVIDIA CUDA compatibility libraries from /usr/local/cuda/compat in the container are no longer mounted to the default library path in the container being run. This may affect certain applications that depend on this behavior.</div><div><br>A feature flag, allow-cuda-compat-libs-from-container was included in the NVIDIA Container Toolkit to allow users to opt-in to the previous behavior if required.<br>Warning: Opting-in to the previous behavior will remove protection against this vulnerability and is not recommended.</div><div><br>To set the feature flag ensure that the NVIDIA Container Toolkit config file at /etc/nvidia-container-runtime/config.toml includes:<br><br>[features]<br>&nbsp; allow-cuda-compat-libs-from-container = true</div><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><div>Setting the value above to false or removing the config file entry will disable the feature.</div><div><br>In the case of the NVIDIA GPU Operator the feature flag can be set by including the following in the NVIDIA GPU Operator helm install command:</div><div>--set \"toolkit.env[0].name=NVIDIA_CONTAINER_TOOLKIT_OPT_IN_FEATURES\" --set \"toolkit.env[0].value=allow-cuda-compat-libs-from-container\"</div><div>&nbsp;</div><div>For users who know that their application needs CUDA Forward Compatibility the following workaround can be used:</div><div><br>Setting the LD_LIBRARY_PATH environment variable to include /usr/local/cuda/compat</div><div><br>This may cause portability issues for some containers when running across multiple driver versions \u2013 especially when these are more recent than the compatibility libraries in the container.</div>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2025-02-12T00:52:43.646Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23359", "state": "PUBLISHED", "dateUpdated": "2025-04-11T13:24:14.643Z", "dateReserved": "2025-01-14T01:07:26.681Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2025-02-12T00:52:43.646Z", "assignerShortName": "nvidia"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."}, {"lang": "es", "value": "NVIDIA Container Toolkit para Linux contiene una vulnerabilidad de tipo Time-of-Check Time-of-Use (TOCTOU) cuando se utiliza con la configuraci\u00f3n predeterminada, donde una imagen de contenedor manipulado podr\u00eda obtener acceso al archivo host sistema. Una explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo, la denegaci\u00f3n de servicio, la escalada de privilegios, la divulgaci\u00f3n de informaci\u00f3n y la manipulaci\u00f3n de datos."}], "id": "CVE-2025-23359", "lastModified": "2025-04-11T14:15:24.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2025-02-12T01:15:09.230", "references": [{"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5616"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "psirt@nvidia.com", "type": "Secondary"}]}

{"bugzilla": {"description": "nvidia-container-toolkit: TOCTOU Vulnerability in NVIDIA Container Toolkit", "id": "2345129", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345129"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.", "A flaw was found in the NVIDIA Container Toolkit for Linux. This vulnerability allows a crafted container image to gain access to the host file system via a Time-of-Check Time-of-Use (TOCTOU) flaw in the default configuration, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."], "name": "CVE-2025-23359", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "bootc-aws-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "bootc-azure-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "bootc-gcp-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "bootc-ibm-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2025-02-12T00:52:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23359\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23359\nhttps://nvidia.custhelp.com/app/answers/detail/a_id/5616"], "statement": "This vulnerability in the NVIDIA container toolkit does not affect Red Hat products. Specially crafted container images are required for effective exploitation and none of the Red Hat signed containers are crafted in such a way as to allow exploitation. Our containers which include the nvidia toolkit comply with our operating procedures by utilizing the Container Device Interface (CDI). As noted in the Nvidia bulletin, the vulnerability does not impact use-cases where CDI is used.\nWe\u2019ve rated this as important vs critical in the event that non-signed container images, crafted by an attacker, are permitted to be deployed in an environment. This scenario is not typical.", "threat_severity": "Important"}