Nvidia systems could be facing another worrying security flaw

Nvidia confirms a new bug in Container Toolkit, and GPU Operator
The bug allows malicious actors to execute code remotely
A fix was already deployed, so patch now

The Nvidia Container Toolkit for Linux, a set of tools that allows devs to build and run GPU-accelerated containers using Docker, or other container runtimes, carries a vulnerability that allows threat actors to gain access to the host file system and thus execute malicious code remotely, run denial of service attacks, escalate privileges, steal sensitive information, or tamper with the victim’s data.

The company confirmed the news in a security advisory, noting both the Nvidia Container Toolkit, and Nvidia GPU Operator (a Kubernetes-native solution that automates the deployment, management, and monitoring of Nvidia GPU resources in a Kubernetes cluster) are vulnerable to the bug which is being tracked as CVE-2025-23359.

It was assigned a severity score of 8.3, and was said to affect all versions of Container Toolkit up to and including 1.17.3, and all versions up to and including 24.9.1 of GPU Operator.

Patch bypass

The bugs were fixed in versions 1.17.4 and 24.9.2 respectively. It is also worth mentioning that the flaw is only present on Linux, and does not impact use cases where CDI is used.

Cybersecurity researchers from Wiz claim this is actually a bypass for another vulnerability. Apparently, the previous bug is tracked as CVE-2024-0132, and has a 9.0 severity score, making it critical, as it could allow malicious actors to mount the host’s root file system into a container, granting them free access to virtually anything. What’s more, the access can be used to launch privileged containers and achieve full host compromise.

Nvidia says the issue was fixed in September 2024, and to address the issue, users are advised to apply the released patches, and make sure not to disable the “–no-cntlibs” flag in production environments, it was said.

Via The Hacker News

https://cdn.mos.cms.futurecdn.net/zjafjw6AeTXTuuLetiazgC-1200-80.jpg

Source link

Hisense U9N review: the best Hisense mini-LED TV yet, with powerful Dolby Atmos sound built-in

Not even emoji are safe from hackers – smiley faces can be hijacked to hide data, study claims

Monster Hunter Wilds roadmap | TechRadar

Apple Maps just got a lot better for cyclists in the UK – here’s what’s new

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Siemens shareholders reject proposal to allow virtual AGMs

The best psych-out artists know how to mess with your mind, but Trump’s push for tariffs shows how this strategy can backfire

SailPoint IPO opens at $23 per share, matches pricing

Who is Alexander Vinnik, the Bitcoin criminal Trump freed in a prisoner exchange with Russia?

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Nvidia systems could be facing another worrying security flaw

Siemens shareholders reject proposal to allow virtual AGMs

The best psych-out artists know how to mess with your mind, but Trump’s push for tariffs shows how this strategy can backfire

SailPoint IPO opens at $23 per share, matches pricing

Who is Alexander Vinnik, the Bitcoin criminal Trump freed in a prisoner exchange with Russia?

Leave a reply Cancel reply