CVE-2025-23359: Nvidia-container-toolkit: GPU Container Escape (CVE-2024-0132 fix bypass)

["Yupeng(Roc)" <roc.yupeng () huawei com>]

Hi, I am interested in container security. Recently, I found a bypass of CVE-2024-0132 fix. The following gives the 
details.

Severity: Important
CVSS Score: 8.3 CVSS3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected versions:
- nvidia-container-toolkit >=v1.0.0, <=v1.17.3

Description:
In handling the CUDA Forward Compatibility feature, the NVIDIA Container Toolkit's libnvidia-container library mounts 
files from the container's /usr/local/cuda/compat directory into the container's library directories (such as 
/usr/lib/x86_64-linux-gnu/). This mounting behavior is susceptible to symbolic link attacks, which can lead to 
arbitrary host directories being mounted in read-only mode inside the container, potentially leading to container 
escape.

This vulnerability is a bypass of the fix for CVE-2024-0132(the first known GPU-specific container escape).The fix for 
CVE-2024-0132 restricted scenarios where the mount source is a symbolic link, but it can be bypassed through shared 
volumes and race conditions.Given the widespread adoption of NVIDIA Container Toolkit in AI/ML infrastructure, we 
suggest that this issue should be addressed promptly.

This issue affects nvidia-container-toolkit: from the v1.0.0 version to v1.17.3. Users are recommended to upgrade to 
version v1.17.4,which fixes the issue, or use the CDI mode to mitigate.

Credit:
Lei Wang  <wanglei249 () huawei com<mailto:wanglei249 () huawei com>> (finder)

References:
https://nvidia.custhelp.com/app/answers/detail/a_id/5616