Critical Vulnerability in Nvidia’s Container Toolkit Exposes Major AI Cloud Providers

Security researchers from Wiz, Neld and Elen Sasson, presented a critical vulnerability in Nvidia’s Container Toolkit—a widely used software component enabling Linux containers to access Nvidia GPUs—affecting major AI cloud providers. The flaw allowed container escape via a malicious Docker image, granting attackers full host filesystem access and potential code execution by abusing Unix sockets, such as the Docker socket, to create privileged containers. The team tested the exploit across multiple cloud platforms, revealing varying security postures: Azure’s virtual API server blocked cross-tenant access despite container escape, Replicate’s shared Redis instance exposed sensitive prompts and predictions before detection, and DigitalOcean’s Paperspace allowed full service takeover, including access to customer cloud secrets (AWS, GCP, Azure) via Kubernetes credentials. The underlying vulnerability, tracked as CVE-2023-XXXX (exact number redacted), was patched by Nvidia, but a newer, simpler exploit in the same library was later discovered, executable in just three lines of code. Key takeaways emphasized that containers alone are insufficient security barriers, requiring layered defenses (network rules, least privilege, virtualization) to mitigate zero-day threats. The researchers also announced "Zero Day Cloud," a Black Hat Europe event offering cash prizes for open-source vulnerabilities in cloud infrastructure. All findings were responsibly disclosed to affected vendors.