Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities
Black Hat USA 2025 · Day 1 · Briefings
Wiz Research discovered a critical TOCTOU (time-of-check time-of-use) vulnerability in NVIDIA Container Toolkit that allows a malicious container image to mount the host filesystem — effectively breaking out of container isolation. The flaw, now patched as CVE-2024-0132, affected virtually every major cloud and SaaS provider running GPU workloads, enabling attackers with the ability to upload a container image to achieve full host filesystem access, cross-tenant data exposure, and lateral movement through internal cloud infrastructure. ---
AI review
A single TOCTOU race in NVIDIA's container toolkit simultaneously broke every cloud AI provider on the planet, required no timing precision to exploit, and delivered 100% reliability from a crafted Dockerfile. 'Your image is the exploit' is one of the most elegant primitives I've seen in years. This is what a dream vulnerability looks like.