CVE-2025-23267
HIGH8.5EPSS 0.36%NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook in github.com/NVIDIA/gpu-operator
Published: 7/17/2025Modified: 3/3/2026
Description
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook in github.com/NVIDIA/gpu-operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/NVIDIA/gpu-operator before v25.3.2.
Affected packages (8)
- Go/github.com/NVIDIA/gpu-operatorfrom 0, < 25.3.2
- Go/github.com/NVIDIA/gpu-operatorfrom 0
- Go/github.com/NVIDIA/k8s-device-pluginfrom 0, < 0.17.3
- Go/github.com/NVIDIA/k8s-device-pluginfrom 0, < 0.17.3
- Go/github.com/NVIDIA/mig-partedfrom 0, < 0.12.2
- Go/github.com/NVIDIA/mig-partedfrom 0, < 0.12.2
- Go/github.com/NVIDIA/nvidia-container-toolkitfrom 0, < 1.17.8
- Go/github.com/NVIDIA/nvidia-container-toolkitfrom 0, < 1.17.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-67jc-hmvg-q4c7
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-23267
- WEBhttps://github.com/NVIDIA/gpu-operator
- WEBhttps://github.com/NVIDIA/k8s-device-plugin
- WEBhttps://github.com/NVIDIA/mig-parted
- WEBhttps://github.com/NVIDIA/nvidia-container-toolkit
- WEBhttps://nvidia.custhelp.com/app/answers/detail/a_id/5659
- WEBhttps://pkg.go.dev/vuln/GO-2025-3998
- WEBhttp://www.openwall.com/lists/oss-security/2025/07/16/3