Описание
Security update for nvidia-container-toolkit
This update for nvidia-container-toolkit fixes the following issues:
-
Update to version 1.18.0:
- This is a major release and includes the following high-level changes:
- The default mode of the NVIDIA Container Runtime has been updated to make use of a just-in-time-generated CDI specification instead of defaulting to the legacy mode.
- Added a systemd unit to generate CDI specifications for available devices automatically. This allows native CDI support in container engines such as Docker and Podman to be used without additional steps.
- This is a major release and includes the following high-level changes:
-
Security issues fixed:
- CVE-2024-0133: Fixed data tampering in host file system via specially crafted container image (bsc#1231032)
- CVE-2024-0132: Fixed time-of-check time-of-use (TOCTOU) race condition in default configuration via specifically crafted container image (bsc#1231033)
- CVE-2024-0134: Fixed specially-crafted container image can lead to the creation of unauthorized files on the host (bsc#1232855)
- CVE-2024-0135: Fixed Improper Isolation or Compartmentalization in NVIDIA Container Toolkit (bsc#1236496)
- CVE-2024-0136: Fixed Improper Isolation or Compartmentalization in NVIDIA Container Toolkit (bsc#1236497)
- CVE-2024-0137: Fixed Improper Isolation or Compartmentalization in NVIDIA Container Toolkit (bsc#1236498)
- CVE-2025-23359: Fixed TOCTOU Vulnerability in NVIDIA Container Toolkit (bsc#1237085)
- CVE-2025-23267: Fixed link following can lead to container escape (bsc#1246614)
- CVE-2025-23266: Fixed hook initialization might lead to escalation of privileges (bsc#1246860)
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for Containers 15 SP6
SUSE Linux Enterprise Module for Containers 15 SP7
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:4187-1
- E-Mail link for SUSE-SU-2025:4187-1
- SUSE Security Ratings
- SUSE Bug 1231032
- SUSE Bug 1231033
- SUSE Bug 1232855
- SUSE Bug 1236496
- SUSE Bug 1236497
- SUSE Bug 1236498
- SUSE Bug 1237085
- SUSE Bug 1246614
- SUSE Bug 1246860
- SUSE CVE CVE-2024-0132 page
- SUSE CVE CVE-2024-0133 page
- SUSE CVE CVE-2024-0134 page
- SUSE CVE CVE-2024-0135 page
- SUSE CVE CVE-2024-0136 page
- SUSE CVE CVE-2024-0137 page
- SUSE CVE CVE-2025-23266 page
- SUSE CVE CVE-2025-23267 page
Описание
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0132
- SUSE Bug 1231033
Описание
NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0133
- SUSE Bug 1231032
Описание
NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0134
- SUSE Bug 1232855
Описание
NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to modification of a host binary. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0135
- SUSE Bug 1236496
Описание
NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code obtaining read and write access to host devices. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0136
- SUSE Bug 1236497
Описание
NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code running in the host's network namespace. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to denial of service and escalation of privileges.
Затронутые продукты
Ссылки
- CVE-2024-0137
- SUSE Bug 1236498
Описание
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.
Затронутые продукты
Ссылки
- CVE-2025-23266
- SUSE Bug 1246860
Описание
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of service.
Затронутые продукты
Ссылки
- CVE-2025-23267
- SUSE Bug 1246614
Описание
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Затронутые продукты
Ссылки
- CVE-2025-23359
- SUSE Bug 1237085