CVE-2025-23266

NVIDIA Transformers4Rec load_model_trainer_states_from_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.

A flaw was found in the NVIDIA Container Toolkit. This vulnerability allows execution of arbitrary code with elevated permissions via improperly secured container initialization hooks. This can potentially lead to privilege escalation, data tampering, information disclosure, and denial of service.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA Transformers4Rec. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the load_model_trainer_states_from_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root.

An update for toolbox is now available for Red Hat Enterprise Linux 10. Issues addressed include a privilege escalation vulnerability.

*Credits: Peter Girnus (@gothburz) of Trend Zero Day Initiative

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-01-14 CVE Reserved
2025-07-17 CVE Published
2025-07-21 First Exploit
2025-08-16 CVE Updated
2025-08-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-426: Untrusted Search Path

CAPEC

References (4)

URL	Tag	Source
https://nvidia.custhelp.com/app/answers/detail/a_id/5659

URL	Date	SRC
https://github.com/jpts/cve-2025-23266-poc	2025-07-21

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-23266	2025-08-12
https://bugzilla.redhat.com/show_bug.cgi?id=2381794	2025-08-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
NVIDIA Search vendor "NVIDIA"		Container Toolkit Search vendor "NVIDIA" for product "Container Toolkit"				1.17.7 Search vendor "NVIDIA" for product "Container Toolkit" and version "1.17.7"		en		Affected
NVIDIA Search vendor "NVIDIA"		Container Toolkit Search vendor "NVIDIA" for product "Container Toolkit"				25.3.0 Search vendor "NVIDIA" for product "Container Toolkit" and version "25.3.0"		en		Affected