In September 2024, NVIDIA addressed a critical vulnerability in its Container Toolkit, identified as CVE-2024-0132, which had a CVSS score of 9.0. This Time-of-Check Time-of-Use (TOCTOU) flaw allowed specially crafted container images to access the host file system, potentially leading to code execution, denial of service, and privilege escalation.
However, recent analyses by cybersecurity firms, including Trend Micro, have revealed that the initial patch was incomplete. The flaw persisted in version 1.17.4 when the feature allow-cuda-compat-libs-from-container was explicitly enabled. This oversight could enable attackers to escape container isolation and execute arbitrary commands with root privileges on the host system.
Furthermore, Trend Micro’s research uncovered a related performance issue affecting Docker instances on Linux systems. When containers are created with multiple mounts configured using bind-propagation=shared, the Linux mount table can grow uncontrollably after container termination. This expansion exhausts available file descriptors, leading to a denial-of-service (DoS) condition where new containers cannot be created, and users may be prevented from connecting to the host via SSH.
Mitigation Measures
To address these vulnerabilities and performance issues, organizations are advised to:
- Update NVIDIA Container Toolkit: Ensure that the toolkit is updated to version 1.17.4 or later, which addresses both CVE-2024-0132 and the subsequent CVE-2025-23359.
- Monitor Mount Table Growth: Regularly check the Linux mount table for abnormal growth to prevent file descriptor exhaustion
- Restrict Docker API Access: Limit access to the Docker API to authorized personnel only, reducing the risk of unauthorized operations.
- Enforce Strong Access Controls: Implement robust access control policies to prevent unauthorized access and potential exploitation.
- Conduct Periodic Audits: Regularly audit container-to-host filesystem bindings, volume mounts, and socket connections to identify and mitigate potential vulnerabilities
By proactively implementing these measures, organizations can enhance their security posture and safeguard their systems against potential exploits targeting these vulnerabilities.