A critical zero-day vulnerability in NVIDIA’s Container Toolkit has been publicly disclosed outside the coordinated process typically associated with the Pwn2Own hacking contest, according to an advisory from Hungary’s National Cyber Security Center (NKI). The flaw, tracked as CVE-2025-23266 and nicknamed “NVIDIAScape,” allows attackers to break out of containerized environments and take control of the underlying host systems that power AI workloads. The NKI advisory, published in May 2026, warns that shared GPU infrastructure used for machine learning is directly at risk. Separate, unverified claims suggest additional flaws may affect Firefox and AI cloud platforms, but no primary evidence supports those assertions.
The public release of working exploit details outside Pwn2Own’s structured disclosure window has compressed the time enterprises have to defend themselves and reignited a long-running debate in the security community: what happens when the pipeline designed to keep dangerous bugs under wraps breaks down?
The NVIDIA flaw: what is confirmed
The NKI, Hungary’s national CERT-equivalent agency, published an advisory identifying CVE-2025-23266 as a critical vulnerability in the NVIDIA Container Toolkit. The bug enables container escape, a technique that lets an attacker break out of an isolated software environment and interact directly with the host operating system. In plain terms, a container is supposed to act like a sealed box: code runs inside it without being able to touch anything else on the machine. NVIDIAScape breaks that seal.
For organizations running GPU-accelerated machine learning jobs in shared cloud infrastructure, the consequences of a successful escape are severe. Training data, proprietary model weights, and workloads belonging to other tenants on the same physical hardware could all be exposed in a single breach. The attacker would never need to defeat traditional perimeter defenses like firewalls or VPNs because they are already inside the environment.
The NKI advisory explicitly ties CVE-2025-23266 to demonstrations that were planned for Pwn2Own Berlin, and that connection appears consistently across the agency’s cybersecurity portal and incident response center. Pwn2Own, organized by Trend Micro’s Zero Day Initiative (ZDI), is a long-running contest where researchers demonstrate exploits against previously unknown software flaws in exchange for cash prizes and recognition. Vendors whose products are targeted typically receive advance notice through coordinated disclosure rules, giving them a defined window to develop patches before exploit details go public.
This is not the first time NVIDIA’s container tooling has drawn researcher attention. In late 2024, NVIDIA patched CVE-2024-0132, another critical container escape vulnerability in the same toolkit. The recurrence suggests that the boundary between GPU-accelerated containers and their host systems remains a persistent and attractive attack surface, particularly as adoption of containerized AI workloads has surged.
Why the disclosure path matters
Under normal Pwn2Own rules, a researcher who successfully demonstrates an exploit on stage triggers a coordinated timeline. The vendor is notified privately, given a set number of days (typically 90) to develop a fix, and only then are full technical details published. That buffer exists specifically to prevent attackers from weaponizing a flaw before a patch is available.
In this case, the researchers released their findings publicly rather than through the contest’s coordinated process. The NKI advisory connects the vulnerability to Pwn2Own Berlin, but no primary source reviewed for this report describes the specific circumstances that led to the disclosure occurring outside the contest. Whatever the reason, the practical result is the same: a working attack technique became available to potential adversaries before any official fix was confirmed.
Many organizations have rapidly adopted GPU-backed containers to run training and inference jobs, often layering orchestration systems like Kubernetes on top. In those stacks, a single vulnerable component in the toolchain can become a pivot point for lateral movement across entire clusters. Even without a full exploit chain being published, the confirmation that CVE-2025-23266 enables container escape is enough to classify it as a high-impact issue for any provider offering shared GPU resources.
What remains uncertain
Several important details have not been confirmed by any primary source available at the time of reporting.
Neither the Zero Day Initiative nor Pwn2Own organizers have issued a public statement explaining the circumstances under which this vulnerability was disclosed outside the contest. Some secondary reports describe the researchers as having been “rejected” from the Berlin event, but no primary source confirms that characterization. Contest participation issues can arise for procedural reasons: duplicate submissions, target scope changes, or missed registration deadlines. No specific explanation has surfaced, and ZDI did not respond to inquiries before publication.
The identity of the researchers has not been confirmed through any official channel reviewed for this report. The NKI advisory describes the vulnerability and its connection to Pwn2Own Berlin but does not name the individuals or teams responsible for the discovery or the public release.
NVIDIA has not released a public statement addressing the NVIDIAScape disclosure timeline, the availability of a patch, or whether the company received any advance notice. Without that information, it is unclear how long NVIDIA Container Toolkit users will remain exposed, whether a mitigation is already in development, or whether the flaw affects all versions of the toolkit or only specific configurations. No CVSS score has been published by NVIDIA or the National Vulnerability Database as of June 2026.
The scope of additional zero-days reportedly affecting Firefox and unnamed AI platforms cannot be independently confirmed from available primary sources. No Mozilla advisory, CVE entry, or technical write-up corresponding to a Firefox zero-day linked to this incident has appeared. References to these additional disclosures exist in secondary summaries but lack the documentation needed for independent verification. Until that evidence emerges, the existence and severity of those alleged flaws should be treated as unproven.
What enterprises should do now
The NVIDIA Container Toolkit flaw warrants immediate attention. Organizations running GPU workloads in containerized environments should audit their toolkit versions and monitor NVIDIA’s security response page for patch availability. Network segmentation between container hosts and sensitive data stores can reduce the blast radius of a container escape while a fix is pending. Reviewing container hardening baselines, restricting unnecessary host-level privileges, and limiting GPU sharing across trust boundaries are all steps that can be taken before an official update arrives.
The Firefox and AI platform claims, by contrast, do not yet carry enough technical detail to drive specific defensive action. Security teams should watch for new CVE assignments and vendor advisories in the coming weeks but should not divert resources based on unverified reports.
When the disclosure pipeline fractures
Bug bounty programs and contests like Pwn2Own exist to channel offensive expertise into controlled, coordinated pipelines. Researchers find dangerous bugs, vendors get time to fix them, and the public benefits from patches arriving before exploit code spreads. The system depends on trust: researchers trust that their work will be fairly evaluated and credited, and vendors trust that they will get a reasonable window to respond.
When researchers perceive those pipelines as opaque or unfair, some choose to publish independently, prioritizing transparency, personal recognition, or pressure on vendors over the traditional embargo model. That dynamic can accelerate defensive awareness across the industry, but it also shortens the window before attackers gain access to working exploit code.
NVIDIAScape is a concrete example of what that fracture looks like in practice: a real, high-impact vulnerability with confirmed implications for AI cloud environments that surfaced in public before any clear remediation guidance from the vendor. The unresolved questions around the disclosure circumstances and unverified additional zero-days only underscore how quickly the fragility of these trust relationships can translate into operational risk, especially when the infrastructure at stake is the AI compute layer that a growing number of businesses depend on.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
