CVE-2025-23359 is a vulnerability identified in NVIDIA Container Toolkit and GPU Operator for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. If exploited successfully, it can lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Affected versions include:
- NVIDIA Container Toolkit up to and including 1.17.3
- NVIDIA GPU Operator up to and including 24.9.1
To mitigate the risk, users should update to the patched versions: Container Toolkit 1.17.4 and GPU Operator 24.9.2.
The vulnerability is categorized under CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition.
See more details on: