CVE-2025-23266
CRITICAL9.0EPSS 0.17%NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path in github.com/NVIDIA/gpu-operator
發布日:2025/7/17修改日:2026/2/4
描述
NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path in github.com/NVIDIA/gpu-operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/NVIDIA/gpu-operator before v25.3.2.
受影響套件(8)
- Go/github.com/NVIDIA/gpu-operatorfrom 0, < 25.3.2
- Go/github.com/NVIDIA/gpu-operatorfrom 0
- Go/github.com/NVIDIA/k8s-device-pluginfrom 0, < 0.17.3
- Go/github.com/NVIDIA/k8s-device-pluginfrom 0, < 0.17.3
- Go/github.com/NVIDIA/mig-partedfrom 0, < 0.12.2
- Go/github.com/NVIDIA/mig-partedfrom 0, < 0.12.2
- Go/github.com/NVIDIA/nvidia-container-toolkitfrom 0, < 1.17.8
- Go/github.com/NVIDIA/nvidia-container-toolkitfrom 0, < 1.17.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(12)
- ADVISORYhttps://github.com/advisories/GHSA-vmg3-7v43-9g23
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-23266
- WEBhttps://github.com/NVIDIA/gpu-operator
- WEBhttps://github.com/NVIDIA/k8s-device-plugin
- WEBhttps://github.com/NVIDIA/mig-parted
- WEBhttps://github.com/NVIDIA/nvidia-container-toolkit
- WEBhttps://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266
- WEBhttps://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266-part-2
- WEBhttps://news.ycombinator.com/item?id=44818412
- WEBhttps://nvidia.custhelp.com/app/answers/detail/a_id/5659
- WEBhttps://pkg.go.dev/vuln/GO-2025-3992
- WEBhttps://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape