Cyber Resilience

CVE-2025-23267

High

Published: 17 July 2025

Published
17 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0036 58.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23267 is a high-severity Link Following (CWE-59) vulnerability in Custhelp (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23267 is a vulnerability in the NVIDIA Container Toolkit across all platforms, specifically within the update-ldcache hook. An attacker can exploit it by using a specially crafted container image to cause improper link following, potentially leading to data tampering and denial of service. Published on 2025-07-17, the issue is classified under CWE-59 (Improper Link Resolution Before File Access) with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H).

Exploitation requires low privileges from a network-accessible attacker with no user interaction needed and low attack complexity. The changed scope enables impacts including low confidentiality (none), low integrity (data tampering), and high availability (denial of service) effects on the targeted system.

Mitigation details are available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5659 and the OSS-security mailing list post at http://www.openwall.com/lists/oss-security/2025/07/16/3.

EU & UK References

Vulnerability details

NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and…

more

denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables host file tampering/DoS via malicious container image symlink attack (CWE-59), directly facilitating container escape and data/system impact techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31990Shared CWE-59
CVE-2026-7374Shared CWE-59
CVE-2026-40931Shared CWE-59
CVE-2026-5161Shared CWE-59
CVE-2026-32054Shared CWE-59
CVE-2025-66277Shared CWE-59
CVE-2025-60710Shared CWE-59
CVE-2026-42834Shared CWE-59
CVE-2025-21373Shared CWE-59
CVE-2026-2627Shared CWE-59

Affected Assets

Custhelp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper link resolution vulnerability (CWE-59) in the NVIDIA Container Toolkit's update-ldcache hook to prevent exploitation via specially crafted container images.

prevent

Validates and sanitizes inputs from container images processed by the update-ldcache hook to mitigate improper link resolution before file access.

preventdetect

Monitors integrity of the NVIDIA Container Toolkit software and files to prevent data tampering and detect denial-of-service impacts from symlink exploits.

References