@blamejs/exceptd-skills 0.13.81 → 0.13.82

package/data/attack-techniques.json

@@ -2007,6 +2007,10 @@
     "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses.",
     "tactic": [
       "Execution"
+    ],
+    "cve_refs": [
+      "CVE-2024-0132",
+      "CVE-2025-23266"
     ]
   },
   "T1611": {
@@ -2018,11 +2022,13 @@
       "DS0029"
     ],
     "cve_refs": [
+      "CVE-2024-0132",
       "CVE-2024-21626",
       "CVE-2024-3154",
       "CVE-2025-22224",
       "CVE-2025-22225",
       "CVE-2025-22226",
+      "CVE-2025-23266",
       "CVE-2025-38352"
     ],
     "description_full": "Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape from a container to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) In ESXi environments, an adversary may exploit a vulnerability in order to escape from a virtual machine into the hypervisor.(Citation: Broadcom VMSA-2025-004) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers or virtual machines running on the host, or setting up a command and control channel on the host.",

package/data/cve-catalog.json

@@ -11617,6 +11617,210 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Open WebUI's Direct Connections feature lets a malicious external model server inject JavaScript via SSE (CWE-95), leading to account takeover and, with extended permissions, RCE; fixed in 0.6.35."
   },
+  "CVE-2024-0132": {
+    "name": "NVIDIA Container Toolkit TOCTOU Container Escape",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 8.3 (HIGH); NVIDIA scored it 9.0 (CRITICAL). Time-of-check/time-of-use race condition in the container runtime enabling escape to the host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit 1.16.1 and earlier (fixed 1.16.2); NVIDIA GPU Operator up to but excluding 24.6.2 (fixed 24.6.2).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.16.1",
+      "NVIDIA GPU Operator < 24.6.2"
+    ],
+    "vector": "A TOCTOU race in NVIDIA Container Toolkit's handling of container images / mounts (CWE-367) lets a specially crafted container image escape its container and gain access to the host file system and runtime, enabling code execution on the host. Disclosed by Wiz.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.16.2 or later; restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.16.2 or later (and NVIDIA GPU Operator past 24.6.2). Until then, do not run untrusted container images on GPU nodes."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-0132",
+    "cwe_refs": [
+      "CWE-367"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (NVIDIA Container Toolkit <= 1.16.1) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-0132 (CWE-367 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5582)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5582"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5582",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-0132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-367; NIST CVSS 8.3) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit has a TOCTOU race (CWE-367) that lets a crafted container image escape to the host; fixed in 1.16.2. Ubiquitous in GPU/AI cloud workloads."
+  },
+  "CVE-2025-23266": {
+    "name": "NVIDIA Container Toolkit Init-Hook Untrusted Search Path Container Escape (NVIDIAScape)",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD/NVIDIA CVSS v3.1 base 9.0 (CRITICAL, Scope:Changed). An untrusted search path in container-initialization hooks (CWE-426) lets a container run code with elevated host permissions. Disclosed by Wiz as NVIDIAScape.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit up to and including 1.17.7 (fixed 1.17.8) and NVIDIA GPU Operator up to and including 25.3.0 (fixed 25.3.1).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.17.7",
+      "NVIDIA GPU Operator <= 25.3.0"
+    ],
+    "vector": "NVIDIA Container Toolkit's OCI createContainer hook inherits environment variables from the container, including LD_PRELOAD (CWE-426 untrusted search path). A crafted container image sets LD_PRELOAD to a rogue shared library that the privileged hook then loads with root privileges, executing attacker code on the host — a container escape. Disclosed by Wiz (NVIDIAScape); a three-line Dockerfile is sufficient.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later); restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later) per NVIDIA advisory a_id/5659. Until then, do not run untrusted container images on GPU nodes and restrict who can schedule GPU workloads."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23266",
+    "cwe_refs": [
+      "CWE-426"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (<= 1.17.7, or GPU Operator <= 25.3.0) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23266 (CWE-426 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5659)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5659"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5659",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-426; NIST CVSS 9) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit loads code via an untrusted search path in its init hooks (CWE-426), letting a crafted container escape to the host with elevated permissions (NVIDIAScape). Affects Container Toolkit <= 1.17.7 (fixed 1.17.8) and GPU Operator <= 25.3.0 (fixed 25.3.1)."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1192,7 +1192,8 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
-      "CVE-2012-1854"
+      "CVE-2012-1854",
+      "CVE-2025-23266"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-6",
@@ -2074,7 +2075,8 @@
       "CWE-826"
     ],
     "evidence_cves": [
-      "CVE-2020-17103-REREGRESSION-2026"
+      "CVE-2020-17103-REREGRESSION-2026",
+      "CVE-2024-0132"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 to back the MiniPlasma cldflt.sys re-regression entry. CWE-367 is the standard MITRE classification for TOCTOU races; the cldflt.sys HsmOsBlockPlaceholderAccess primitive validates a placeholder file's accessibility once, then is racing against a junction / symlink swap before the kernel acts on the cached decision."

package/data/framework-control-gaps.json

@@ -35,8 +35,10 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -1185,7 +1187,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2024-21626"
+      "CVE-2024-0132",
+      "CVE-2024-21626",
+      "CVE-2025-23266"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1754,11 +1758,13 @@
     "opened_date": "2026-03-15",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-38352",
@@ -2112,7 +2118,9 @@
     "opened_date": "2026-05-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-40635",
+      "CVE-2025-23266",
       "CVE-2025-53767",
       "CVE-2026-42897"
     ],
@@ -2325,6 +2333,7 @@
       "CVE-2023-43000",
       "CVE-2023-50224",
       "CVE-2023-52163",
+      "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
@@ -2366,6 +2375,7 @@
       "CVE-2025-21479",
       "CVE-2025-21480",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -4799,9 +4809,11 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5315,9 +5327,11 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5372,9 +5386,11 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",

package/data/zeroday-lessons.json

@@ -6983,6 +6983,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-0132": {
+    "name": "NVIDIA Container Toolkit TOCTOU Container Escape",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Container Toolkit (CWE-367 TOCTOU race) lets a crafted container image escape its container and execute code on the host, crossing the tenant boundary on shared GPU infrastructure. Disclosed by Wiz Research.",
+      "privileges_required": "ability to run or schedule a crafted container image on a GPU node",
+      "complexity": "low (a crafted image / short Dockerfile is sufficient)",
+      "ai_factor": "The GPU container runtime underpins essentially all containerized AI/ML GPU workloads. A single escape on a shared GPU host crosses the tenant boundary and exposes co-tenant models, training data, and cloud credentials. The lesson: the GPU container runtime is an AI-pipeline trust boundary that must be patched and hardened like any isolation control, not assumed safe."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the GPU container runtime as an AI-pipeline trust boundary whose escape exposes co-tenant AI assets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Organizations treat container isolation as a given and do not track the GPU container runtime version; shared GPU clouds run mixed-tenant workloads on the same hosts.",
+      "theater_pattern": "container_isolation_assumed"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-090",
+        "name": "AI-GPU-CONTAINER-RUNTIME-ISOLATION",
+        "description": "Treat the GPU container runtime (NVIDIA Container Toolkit / GPU Operator) as a patch-prioritized isolation boundary: keep it current (upgrade to 1.16.2+), do not run untrusted or mixed-tenant container images on the same GPU host, restrict who can schedule GPU workloads, and run workloads least-privilege. The distinguishing test: on a staging GPU node, run a crafted image that manipulates init hooks / mounts and confirm it cannot read host paths or load host-side code outside its container.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-23266": {
+    "name": "NVIDIA Container Toolkit Init-Hook Untrusted Search Path Container Escape (NVIDIAScape)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Container Toolkit (CWE-426 untrusted search path in init hooks) lets a crafted container image escape its container and execute code on the host, crossing the tenant boundary on shared GPU infrastructure. Disclosed by Wiz Research.",
+      "privileges_required": "ability to run or schedule a crafted container image on a GPU node",
+      "complexity": "low (a crafted image / short Dockerfile is sufficient)",
+      "ai_factor": "The GPU container runtime underpins essentially all containerized AI/ML GPU workloads. A single escape on a shared GPU host crosses the tenant boundary and exposes co-tenant models, training data, and cloud credentials. The lesson: the GPU container runtime is an AI-pipeline trust boundary that must be patched and hardened like any isolation control, not assumed safe."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the GPU container runtime as an AI-pipeline trust boundary whose escape exposes co-tenant AI assets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Organizations treat container isolation as a given and do not track the GPU container runtime version; shared GPU clouds run mixed-tenant workloads on the same hosts.",
+      "theater_pattern": "container_isolation_assumed"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-090",
+        "name": "AI-GPU-CONTAINER-RUNTIME-ISOLATION",
+        "description": "Treat the GPU container runtime (NVIDIA Container Toolkit / GPU Operator) as a patch-prioritized isolation boundary: keep it current (Container Toolkit 1.17.8+ / GPU Operator 25.3.1+), do not run untrusted or mixed-tenant container images on the same GPU host, restrict who can schedule GPU workloads, and run workloads least-privilege. The distinguishing test: on a staging GPU node, run a crafted image that manipulates init hooks / mounts and confirm it cannot read host paths or load host-side code outside its container.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",