Description
NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.
Published: 2026-07-01
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NVIDIA Container Toolkit for Linux contains a race condition between checking file existence and using that file. If an attacker succeeds, they can trick the container runtime into executing arbitrary code, effectively escalating privileges and modifying data within the container environment. The weakness corresponds to CWE-367.

Affected Systems

NVIDIA Container Toolkit and NVIDIA GPU Operator running on Linux are affected. No specific version numbers are listed, so all current releases should be considered vulnerable until.

Risk and Exploitability

The assessed CVSS score is 8.5, indicating high severity. EPSS is not available, so the likelihood of exploitation in the wild is uncertain but potentially significant given the privilege escalation impact. The vulnerability is not yet listed in the CISA KEV catalog. Because the race condition operates within the container runtime, the likely attack vector requires the attacker to have the ability to influence container configuration or file system state, suggesting at least a local or privileged user context.

Generated by OpenCVE AI on July 1, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NVIDIA Container Toolkit and GPU Operator to patched versions that fix the race condition.
  • If an update cannot be applied immediately, restrict container execution privileges by applying least privilege policies and disabling the affected features.
  • Monitor container logs for abnormal file or configuration changes that could indicate race attempts.

Generated by OpenCVE AI on July 1, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Title Time-of-Check Time-of-Use Race in NVIDIA Container Toolkit Enables Privilege Escalation

Wed, 01 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-07-01T16:04:14.236Z

Reserved: 2026-01-21T19:09:48.284Z

Link: CVE-2026-24260

cve-icon Vulnrichment

Updated: 2026-07-01T16:04:06.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T19:45:04Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition