Critical Container Escape Vulnerability in Nvidia’s Container Toolkit

🎬 Security researchers Hili Ben Sassan and Andres Rancho from the Wiz Research Team presented at Black Hat a critical container escape vulnerability in Nvidia’s Container Toolkit, a foundational library used across AI infrastructure. The flaw, discovered in the toolkit’s mount handling logic, allowed attackers to bypass security checks via a time-of-check to time-of-use (TOCTOU) race condition, enabling full host filesystem access from within a container. Exploiting this required a specially crafted Docker image with symbolic links and directory structures to trick the toolkit into mounting the host’s filesystem into the container. The researchers demonstrated the attack against multiple cloud providers, including Replicate and DigitalOcean’s Paperspace, where they accessed shared infrastructure, Kubernetes credentials, and customer secrets, compromising AI models and prompts. Nvidia assigned a CVE to the vulnerability and patched it in version 1.16.2, while affected providers collaborated on fixes. The talk emphasized that AI security relies on robust infrastructure security, as vulnerabilities in core components like container runtimes can undermine entire cloud ecosystems. A second, even simpler container escape flaw in the same toolkit was teased, underscoring ongoing risks in AI infrastructure.