A critical race condition bug affecting the Nvidia Container Toolkit, which received a fix in September, might still be open to attacks owing to incomplete patching.
Tracked as CVE-2024-0132, the flaw is a critical – CVSS 9 out of 10 – Time-of-Check Time-of-Use (TOCTOU) vulnerability that could allow a specifically crafted container image to gain access to the host file system. An incomplete patch would leave systems vulnerable to container escape attacks, leading to potential code execution, data tampering, or information disclosure.
A Trend Micro research found the vulnerability still existed after repeated patching, along with a possible attack vector that uses the TOCTOU flaw to create a denial of service (DOS) condition on Docker running on Linux systems.
“The Trend Micro research report shows that the mitigation does not comprehensively address all exploit vectors, creating a false sense of security,” said Jason Soroko, a senior fellow at Sectigo. “This research challenges defenders to question patch completeness and adopt a proactive stance toward driver integrity verification.”
Nvidia Container Toolkit is a set of tools developed by Nvidia to enable GPU support in Docker (or other container runtime) containers, especially for AI and ML-based applications.
Apart from revealing that versions 1.17.3 and earlier still remain vulnerable to CVE-2024-0132 at default configurations and version 1.17.4 needs the feature “allow-cuda-libs-from-container” to be enabled for exploitation, Trend Micro pointed out a related performance issue potentially leading to a DOS attack on the host machine.
“This issue affects Docker on Linux systems,” Trend Micro said in a blog post. “When a new container is created with multiple mounts configured using (bind-propogation=shared), multiple parent/child paths are established. However, the associated entries are not removed in the Linux mount table after container termination.”
The issue creates a bloated mount table that can spiral out of control, quickly burning through available file descriptors (FDs). As the FD supply dries up, Docker hits a wall-no longer spinning up new containers. Additionally, an oversized mount table can drag system performance, locking the users out of the host entirely, and creating a DOS condition, according to the blog.
The DOS requires a prerequisite of having elevated root-level privileges, which can be attained by a CVE-2024-0132 exploit. To explain this, Trend Micro outlines the potential attack steps involving the crafting of two malicious container images that exploit the TOCTOU flaw to gain full root-level privileges and simultaneously carry out a DOS attack.
CVE-2024-0132 first received a fix in September 2024, which did not fully patch the flaw and left a patch bypass issue tracked as CVE-2025-23359. Nvidia fixed the bypass in February which Trend Micro believes to be lacking.
The problem is that the fix, issued with the version 1.17.4 update, includes an optional feature flag “allow-cuda-compat-libs-from-containers” to roll back to unpatched settings, which will realize CVE-2024-0132. Queries emailed to Nvidia over patch incompleteness did not elicit a response until the publishing of this article. To fully protect systems from exploitation, Trend Micro recommends disabling this optional feature at all times. Additionally, to ward off DOS attempts, access to Docker API must be limited to authorized personnel only.