Cybersecurity researchers have detailed a case of an incomplete patch for a previously addressed security flaw impacting the NVIDIA Container Toolkit that, if successfully exploited, could put sensitive data at risk.
The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability that could lead to a container escape attack and allow for unauthorized access to the underlying host.
While this flaw was resolved by NVIDIA in September 2024, a new analysis by Trend Micro has revealed the fix to be incomplete and that there also exists a related performance flaw affecting Docker on Linux that could result in a denial-of-service (DoS) condition.
“These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions,” Trend Micro researcher Abdelrahman Esmail said in a new report published today.
The fact that the TOCTOU vulnerability persists means that a specially crafted container could be abused to access the host file system and execute arbitrary commands with root privileges. The flaw impacts version 1.17.4 if the feature allow-cuda-compat-libs-from-container is explicitly enabled.
“The specific flaw exists within the mount_files function,” Trend Micro said. “The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the host.”
However, for this privilege escalation to work, the attacker must have already obtained the ability to execute code within a container.
The shortcoming has been assigned the CVE identifier CVE-2025-23359 (CVSS score: 9.0), which was previously flagged by cloud security firm Wiz as also a bypass for CVE-2024-0132 back in February 2025. It has been addressed in version 1.17.4.
The cybersecurity company said it also discovered a performance issue during the analysis of the CVE-2024-0132 that could potentially lead to a DoS vulnerability on the host machine. It affects Docker instances on Linux systems.
“When a new container is created with multiple mounts configured using (bind-propagation=shared), multiple parent/child paths are established. However, the associated entries are not removed in the Linux mount table after container termination,” Esmail said.
“This leads to a rapid and uncontrollable growth of the mount table, exhausting available file descriptors (fd). Eventually, Docker is unable to create new containers due to fd exhaustion. This excessively large mount table leads to a huge performance issue, preventing users from connecting to the host (i.e., via SSH).”
To mitigate the issue, it’s advised to monitor the Linux mount table for abnormal growth, limit Docker API access to authorized personnel, enforce strong access control policies, and conduct periodic audits of container-to-host filesystem bindings, volume mounts, and socket connections.
