NVIDIAScape: Privilege Escalation in NVIDIA Container Toolkit
CVE-2025-23266 is a critical vulnerability in NVIDIA Container Toolkit affecting all platforms. The issue is in certain hooks used during container initialization, where an attacker can influence execution in a way that results in arbitrary code execution with elevated permissions. Public reporting and vendor-derived advisory content describe this as an Untrusted Search Path issue in privileged container initialization hooks. Because these hooks run as part of NVIDIA container enablement for Docker, Kubernetes, and related environments, successful exploitation can cross container trust boundaries and has been described as a container escape/privilege escalation issue. The flaw has been referred to publicly as "NVIDIAScape."
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a proof-of-concept (PoC) exploit for CVE-2025-23266, targeting Docker environments using the overlay2 storage driver on Linux. The exploit leverages LD_PRELOAD to execute a payload when a container is started. Two main attack methods are provided: 1. File Exfiltration: The primary payload (poc.c) copies the /flag file from the host into a directory accessible from within the container (/var/lib/docker/overlay2/*/merged/), allowing the attacker to retrieve sensitive files from the host system. 2. Reverse Shell: An alternative payload (poc.c_bak) establishes a reverse shell from the container to a remote host and port (hardcoded as 'test ip' and 50000), granting the attacker remote command execution capabilities. The repository includes a Dockerfile for building a container image with the malicious shared object (poc.so), a build script (build.sh) to compile the payload, and documentation in README.md describing the two attack methods. The exploit is operational, providing working payloads for both file exfiltration and remote shell access, but requires some manual configuration (e.g., setting the target IP for the reverse shell).
This repository contains a fully weaponized exploit for CVE-2025-23266, targeting the NVIDIA Container Toolkit on Linux systems. The main exploit logic resides in evil.go, which is compiled as a C shared object (evil.so) using the provided Dockerfile. The exploit leverages LD_PRELOAD to execute code in the context of a container, joins the host's network namespace via /proc/1/ns/net, and establishes a reverse shell to an attacker-controlled IP and port (configurable via environment variables). The README provides a brief description and a reference link. The exploit is operational and provides a working reverse shell payload, making it a serious threat if deployed in vulnerable environments.
This repository is a Proof-of-Concept (PoC) exploit for CVE-2025-23266, a vulnerability in NVIDIA AI (NVIDIAScape). The repository contains a Go program (main.go) that is compiled as a C-shared library (poc.so) using the provided Dockerfile. The exploit leverages the LD_PRELOAD environment variable to inject the shared object into a process running with the NVIDIA runtime. When loaded, the exploit writes the hostname and current user information to a file named '/hacked', demonstrating successful code execution. The README provides instructions for building and running the exploit in a Docker container with NVIDIA GPU support. The exploit targets Linux systems with NVIDIA AI software and requires the NVIDIA runtime to be enabled. No network endpoints are involved; the attack vector is local privilege escalation or code execution via the NVIDIA runtime. The structure is simple, with clear separation between the exploit code, build instructions, and documentation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A privilege escalation vulnerability in Nvidia Container Toolkit disclosed from a prior Pwn2Own AI category finding.
NVIDIA Container Toolkit container escape/privilege escalation vulnerability impacting managed AI cloud services.
A container escape vulnerability in the NVIDIA Container Toolkit mentioned as part of NVIDIA's broader security history.
A previously addressed NVIDIA AI infrastructure vulnerability mentioned as part of vendor security history; specific technical details are not provided in the content.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.