Date: 2025-02-26
CRITICAL risk vulnerabilities concerning nvidia-toolkit <=v1.17.4 and nvidia-gpu-operator <=24.9.2
EGI SVG ID : EGI-SVG-2025-02
CVE ID : CVE-2024-0135, CVE-2024-0136, CVE-2024-0137, CVE-2025-23359
CVSS Score : Up to 8.3 [R 1]/[R 2]
Affected versions vary depending on CVE, but all vulnerabilities in this advisory are patched in the following versions:
The breakdown of affected versions based on CVE is as follows [R 1]/[R 2]:
For CVE‑2024-0135, CVE‑2024-0136, CVE‑2024-0137:
For CVE‑2025-23359:
Sites running nvidia-toolkit and nvidia-gpu-operator are required to urgently install new version v1.17.4 and 24.9.2 respectively.
All running resources MUST be either patched or have mitigation in place or software removed by 2025-03-06 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
Mitigations for these CVEs have been published by NVIDIA on the relevant security bulletin, refer to these for instructions [R 1]/[R 2].
EGI SVG has elevated the risk level of CVE-2025-23359 from HIGH to CRITICAL due to the potential for container escape and the potential impact this has on EGI infrastructure.
CVE-2025-23359 is a bypass of the fix for CVE-2024-0132 (see [R 7]) for which we sent Advisory-EGI-SVG-2024-22: https://advisories.egi.eu/Advisory-EGI-2024-22
TLP:AMBER information - Limited distribution
This advisory will be made public on or after 2025-03-26 at
https://advisories.egi.eu/Advisory-EGI-SVG-2025-02
https://advisories.egi.eu/Advisory-SVG-CVE-2024-0135
https://advisories.egi.eu/Advisory-SVG-CVE-2024-0136
https://advisories.egi.eu/Advisory-SVG-CVE-2024-0137
https://advisories.egi.eu/Advisory-SVG-CVE-2025-23359
Minor updates may be made without re-distribution to the sites.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI (https://www.egi.eu/) Software Vulnerability Group -----------------------------
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 1] https://nvidia.custhelp.com/app/answers/detail/a_id/5599 (NVIDIA Security Bulletin, January 2025)
[R 2] https://nvidia.custhelp.com/app/answers/detail/a_id/5616 (NVIDIA Security Bulletin, February 2025)
[R 7] https://www.wiz.io/blog/nvidia-ai-vulnerability-deep-dive-cve-2024-0132 (CVE-2024-0132 and CVE-2025-23359 description)
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to these vulnerabilities by Barbara Krašovec