CVE-2025-23266

CRITICAL

NVIDIA Container Toolkit < 1.17.8 - Untrusted Search Path via Container Initialization Hooks

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-23266. PoCs published by jpts, mrk336, r0binak.

AI-analyzed exploit summary This PoC exploits CVE-2025-23266, a vulnerability in NVIDIA's AI software, by leveraging a constructor function to execute arbitrary code during library loading. It writes system information to a file named '/hacked' as a demonstration of the exploit's effectiveness.

Description

NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.

Exploits (5)

nomisec WORKING POC 13 stars

by jpts · poc

https://github.com/jpts/cve-2025-23266-poc

View Code ZIP pw:eip

This PoC exploits CVE-2025-23266, a vulnerability in NVIDIA's AI software, by leveraging a constructor function to execute arbitrary code during library loading. It writes system information to a file named '/hacked' as a demonstration of the exploit's effectiveness.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: NVIDIA AI software (specific version not specified)

No auth needed

Prerequisites: Docker environment with NVIDIA runtime · Access to the target system to run the Docker container

MITRE ATT&CK

T1547 - Boot or Logon Autostart Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 2 stars

by mrk336 · poc

https://github.com/mrk336/CVE-2025-23266

View Code ZIP pw:eip

The repository describes a buffer overflow vulnerability (CVE-2025-23266) in FastAPI's `parse_request()` function, allowing remote code execution via crafted HTTP headers. The writeup outlines the exploit flow, mitigation steps, and monitoring recommendations but does not include actual exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: FastAPI v2.4.3

No auth needed

Prerequisites: Target running FastAPI v2.4.3 on Ubuntu 22.04 · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by r0binak · poc

https://github.com/r0binak/CVE-2025-23266

View Code ZIP pw:eip

This PoC exploits CVE-2025-23266 in the NVIDIA Container Toolkit by leveraging a shared library (evil.so) to escape container network namespaces and establish a reverse shell. The exploit uses LD_PRELOAD to execute arbitrary commands with elevated privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NVIDIA Container Toolkit (version not specified)

No auth needed

Prerequisites: Access to a container with the vulnerable NVIDIA Container Toolkit · Ability to load a shared library (LD_PRELOAD)

MITRE ATT&CK

T1559 - Inter-Process Communication T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Mindasy · poc

https://github.com/Mindasy/cve-2025-23266-migration-bypass

View Code ZIP pw:eip

This PoC exploits CVE-2025-23266 by using a shared library (poc.so) with a constructor payload to copy a flag file from the host to a Docker container's mounted directory. It demonstrates a migration bypass vulnerability likely related to container escape or privilege escalation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Docker (specific version not specified)

No auth needed

Prerequisites: Ability to load a shared library in the target environment · Docker container with mounted directory access

MITRE ATT&CK

T1548 - Abuse Elevation Control Mechanism T1611 - Escape to Host

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by ForeverLX · poc

https://github.com/ForeverLX/security-research

View Code ZIP pw:eip

This repository contains a detailed technical analysis of container boundary vulnerabilities, specifically focusing on CVE-2025-23266 in the NVIDIA Container Toolkit. It includes research methodology, findings, and MITRE ATT&CK mappings, but no functional exploit code.

Classification

Writeup 95%

Attack Type

Other

Complexity

Complex

Reliability

Theoretical

Target: NVIDIA Container Toolkit

No auth needed

Prerequisites: rootless Podman with runc · NVIDIA Container Toolkit

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 13, 2026 Full analysis →

References (5)

Core 5

Core References

Vendor Advisory

https://nvidia.custhelp.com/app/answers/detail/a_id/5659

Various Sources

https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266-part-2/

Various Sources

https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266/

Various Sources

https://news.ycombinator.com/item?id=44818412

Various Sources

https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape

Scores

CVSS v3 9.0

EPSS 0.0017

EPSS Percentile 37.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-426

Status published

Products (6)

NVIDIA/Container Toolkit NVIDIA Container Toolkit All versions up to and including 1.17.7 (CDI mode only for versions prior t

NVIDIA/Container Toolkit NVIDIA GPU Operator All versions up to and including 25.3.0 (CDI mode only for versions prior to 25.

NVIDIA/gpu-operator 0 - 25.3.2Go

NVIDIA/k8s-device-plugin 0 - 0.17.3Go

NVIDIA/mig-parted 0 - 0.12.2Go

NVIDIA/nvidia-container-toolkit 0 - 1.17.8Go

Published Jul 17, 2025

Tracked Since Feb 18, 2026