Cybersecurity researchers have detailed cases of incomplete patches of previously treated security flaws.
The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a time-of-use (Toctou) vulnerability that could lead to container escape attacks and allow unauthorized access to the underlying host.
This flaw was resolved by Nvidia in September 2024, but a new analysis by Trend Micro reveals that the fix is incomplete, and there are also related performance flaws affecting Docker on Linux, which could lead to a denial of service (DOS) state.
“These issues allow attackers to escape container separation, access sensitive host resources, and can cause serious operational disruption,” Trend Micro researcher Abdel Rahman Esmail said in a new report published today.
The fact that the vulnerability in Toctou persists means that you abuse a specially made container to access the host file system and execute any command using root privileges. Flaw affects version 1.17.4 if the feature is explicitly enabled from Container from COUDA-COMPAT-LIBS.
“Certain flaws reside in the mount_files function,” Trend Micro said. “This issue is caused by the lack of proper locks when performing operations on objects. An attacker can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of the host.”
However, for this privilege escalation to work, the attacker must already have the ability to run the code inside the container.
The drawback was assigned the CVE Identifier CVE-2025-23359 (CVSS score: 9.0). It was previously flagged in February 2025 as a bypass for CVE-2024-0132 by cloud security company Wiz.
The cybersecurity company said during its analysis of CVE-2024-0132 it also discovered performance issues that could lead to DOS vulnerabilities on the host machine. It affects Docker instances on Linux systems.
“When a new container is created with multiple mounts configured using (bind-propagation = shared), multiple parent/child paths are established. However, the associated entries are not deleted in the Linux mount table after the container is finished,” says Esmail.
“This leads to rapid and uncontrollable growth of the mount table, running out of available file descriptors (FDs). Ultimately, Docker is unable to create new containers due to FD fatigue.
To mitigate the issue, we recommend monitoring the Linux mount table for abnormal growth, restricting Docker API access to approved personnel, enforcing strong access control policies, and conducting regular audits of file system bindings, volume mounts and socket connections from containers to hosts.
Source link
