@blamejs/exceptd-skills 0.13.80 → 0.13.82

package/data/atlas-ttps.json

@@ -1527,7 +1527,8 @@
     "stix_id": "attack-pattern--f13dede7-12ee-5f0e-985a-4f801aecb681",
     "is_subtechnique": false,
     "cve_refs": [
-      "CVE-2023-48022"
+      "CVE-2023-48022",
+      "CVE-2025-64496"
     ]
   },
   "AML.T0029": {
@@ -1696,7 +1697,9 @@
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
     "is_subtechnique": false,
     "cve_refs": [
-      "CVE-2023-48022"
+      "CVE-2023-48022",
+      "CVE-2025-64496",
+      "CVE-2026-0766"
     ]
   },
   "AML.T0050": {

package/data/attack-techniques.json

@@ -281,7 +281,9 @@
       "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-22778",
@@ -930,6 +932,7 @@
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
+      "CVE-2025-64496",
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66644",
@@ -942,6 +945,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1731",
@@ -2003,6 +2007,10 @@
     "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses.",
     "tactic": [
       "Execution"
+    ],
+    "cve_refs": [
+      "CVE-2024-0132",
+      "CVE-2025-23266"
     ]
   },
   "T1611": {
@@ -2014,11 +2022,13 @@
       "DS0029"
     ],
     "cve_refs": [
+      "CVE-2024-0132",
       "CVE-2024-21626",
       "CVE-2024-3154",
       "CVE-2025-22224",
       "CVE-2025-22225",
       "CVE-2025-22226",
+      "CVE-2025-23266",
       "CVE-2025-38352"
     ],
     "description_full": "Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape from a container to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) In ESXi environments, an adversary may exploit a vulnerability in order to escape from a virtual machine into the hypervisor.(Citation: Broadcom VMSA-2025-004) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers or virtual machines running on the host, or setting up a command and control channel on the host.",

package/data/cve-catalog.json

@@ -11408,6 +11408,419 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Anyscale Ray's Job Submission / Dashboard API runs attacker-supplied code without authentication; internet-exposed clusters are mass-exploited (ShadowRay 2.0) for crypto mining and AI-artifact / credential theft. Vendor-disputed, no code patch — mitigate with token auth (2.52.0+) and network isolation."
   },
+  "CVE-2026-0766": {
+    "name": "Open WebUI Tool Module Code Injection RCE",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "ZDI (CNA) CVSS v3.0 base 8.8 (HIGH); NVD enrichment pending at curation. Authenticated code injection in load_tool_module_by_id.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (Zero Day Initiative): an authenticated request drives the server to execute an unvalidated string as code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the tool-module loading path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.32 (the version named in the Zero Day Initiative advisory).",
+    "affected_versions": [
+      "Open WebUI 0.6.32"
+    ],
+    "vector": "Open WebUI's load_tool_module_by_id function does not validate a user-supplied string before using it to execute Python code (CWE-94). An authenticated attacker supplies a crafted value that the server runs, achieving remote code execution on the Open WebUI host.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. PR:L — requires an authenticated account.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to the fixed Open WebUI release (coordinated ZDI disclosure against 0.6.32); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to a release that fixes the load_tool_module_by_id validation (the flaw was reported via coordinated ZDI disclosure against 0.6.32); restrict who can configure tools and run Open WebUI least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-0766",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI spawning Python execution from a tool module id that came from user input rather than a pinned tool registry.",
+        "Unexpected processes or imports during Open WebUI tool-module loading.",
+        "Authenticated requests to the tool-loading path carrying code-like or path-like payloads.",
+        "Open WebUI 0.6.32 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-0766 (CWE-94) and the Zero Day Initiative advisory (https://www.zerodayinitiative.com/advisories/published/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+      "https://www.zerodayinitiative.com/advisories/published/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Zero Day Initiative",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://www.zerodayinitiative.com/advisories/published/",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CVSS 8.8) + the Zero Day Initiative advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's load_tool_module_by_id runs an unvalidated user-supplied string as Python (CWE-94), giving an authenticated attacker remote code execution."
+  },
+  "CVE-2025-64496": {
+    "name": "Open WebUI Malicious Model Server Code Injection (Account Takeover to RCE)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH). Code injection via server-sent events from a malicious external model server; requires the Direct Connections feature and luring a user to connect (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (GitHub Security Advisory): a malicious external model server injects executable content into the Open WebUI client/back end.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the external-model-server connection path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.34 and prior, when the Direct Connections feature is enabled (patched in 0.6.35 per GHSA-cm35-v4vp-5xvx).",
+    "affected_versions": [
+      "Open WebUI <= 0.6.34 (Direct Connections enabled)"
+    ],
+    "vector": "When Open WebUI's Direct Connections feature is enabled and a user is lured into connecting to a malicious external model server, that server's server-sent events inject and execute JavaScript in the user's browser (CWE-95 / CWE-829), enabling token theft and account takeover, and with extended permissions remote code execution on the backend.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. UI:R — requires luring a user to connect to a malicious model server.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Open WebUI 0.6.35 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to 0.6.35 or later. Disable Direct Connections unless required, and treat external model servers as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-64496",
+    "cwe_refs": [
+      "CWE-95",
+      "CWE-501",
+      "CWE-829"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI clients connecting to external model servers via the Direct Connections feature from untrusted endpoints.",
+        "Unexpected JavaScript execution / token use in Open WebUI sessions following a Direct Connection to a new model server.",
+        "Account-takeover indicators (session token reuse, privilege changes) after a user connects to an external model server.",
+        "Open WebUI <= 0.6.34 (Direct Connections enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-64496 (CWE-95/CWE-501/CWE-829) and the GitHub Security Advisory advisory (https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+      "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-95/CWE-501/CWE-829; CVSS 8) + the GitHub Security Advisory advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's Direct Connections feature lets a malicious external model server inject JavaScript via SSE (CWE-95), leading to account takeover and, with extended permissions, RCE; fixed in 0.6.35."
+  },
+  "CVE-2024-0132": {
+    "name": "NVIDIA Container Toolkit TOCTOU Container Escape",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 8.3 (HIGH); NVIDIA scored it 9.0 (CRITICAL). Time-of-check/time-of-use race condition in the container runtime enabling escape to the host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit 1.16.1 and earlier (fixed 1.16.2); NVIDIA GPU Operator up to but excluding 24.6.2 (fixed 24.6.2).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.16.1",
+      "NVIDIA GPU Operator < 24.6.2"
+    ],
+    "vector": "A TOCTOU race in NVIDIA Container Toolkit's handling of container images / mounts (CWE-367) lets a specially crafted container image escape its container and gain access to the host file system and runtime, enabling code execution on the host. Disclosed by Wiz.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.16.2 or later; restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.16.2 or later (and NVIDIA GPU Operator past 24.6.2). Until then, do not run untrusted container images on GPU nodes."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-0132",
+    "cwe_refs": [
+      "CWE-367"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (NVIDIA Container Toolkit <= 1.16.1) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-0132 (CWE-367 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5582)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5582"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5582",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-0132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-367; NIST CVSS 8.3) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit has a TOCTOU race (CWE-367) that lets a crafted container image escape to the host; fixed in 1.16.2. Ubiquitous in GPU/AI cloud workloads."
+  },
+  "CVE-2025-23266": {
+    "name": "NVIDIA Container Toolkit Init-Hook Untrusted Search Path Container Escape (NVIDIAScape)",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD/NVIDIA CVSS v3.1 base 9.0 (CRITICAL, Scope:Changed). An untrusted search path in container-initialization hooks (CWE-426) lets a container run code with elevated host permissions. Disclosed by Wiz as NVIDIAScape.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit up to and including 1.17.7 (fixed 1.17.8) and NVIDIA GPU Operator up to and including 25.3.0 (fixed 25.3.1).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.17.7",
+      "NVIDIA GPU Operator <= 25.3.0"
+    ],
+    "vector": "NVIDIA Container Toolkit's OCI createContainer hook inherits environment variables from the container, including LD_PRELOAD (CWE-426 untrusted search path). A crafted container image sets LD_PRELOAD to a rogue shared library that the privileged hook then loads with root privileges, executing attacker code on the host — a container escape. Disclosed by Wiz (NVIDIAScape); a three-line Dockerfile is sufficient.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later); restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later) per NVIDIA advisory a_id/5659. Until then, do not run untrusted container images on GPU nodes and restrict who can schedule GPU workloads."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23266",
+    "cwe_refs": [
+      "CWE-426"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (<= 1.17.7, or GPU Operator <= 25.3.0) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23266 (CWE-426 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5659)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5659"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5659",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-426; NIST CVSS 9) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit loads code via an untrusted search path in its init hooks (CWE-426), letting a crafted container escape to the host with elevated permissions (NVIDIAScape). Affects Container Toolkit <= 1.17.7 (fixed 1.17.8) and GPU Operator <= 25.3.0 (fixed 25.3.1)."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -382,6 +382,7 @@
       "CVE-2025-62848",
       "CVE-2025-8875",
       "CVE-2025-8876",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-20045",
@@ -1191,7 +1192,8 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
-      "CVE-2012-1854"
+      "CVE-2012-1854",
+      "CVE-2025-23266"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-6",
@@ -1668,6 +1670,7 @@
     "evidence_cves": [
       "CVE-2025-32463",
       "CVE-2025-54136",
+      "CVE-2025-64496",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -2072,7 +2075,8 @@
       "CWE-826"
     ],
     "evidence_cves": [
-      "CVE-2020-17103-REREGRESSION-2026"
+      "CVE-2020-17103-REREGRESSION-2026",
+      "CVE-2024-0132"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 to back the MiniPlasma cldflt.sys re-regression entry. CWE-367 is the standard MITRE classification for TOCTOU races; the cldflt.sys HsmOsBlockPlaceholderAccess primitive validates a placeholder file's accessibility once, then is racing against a junction / symlink swap before the kernel acts on the cached decision."
@@ -2202,6 +2206,7 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2025-24893",
+      "CVE-2025-64496",
       "CVE-2026-33017"
     ],
     "last_verified": "2026-05-18",
@@ -3176,7 +3181,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-64496"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,