CVE-2024-7598
published 2025-03-20CVE-2024-7598: A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during…
PriorityP411low3.1CVSS 3.1
AVAACHPRNUINSUCLINAN
EPSS
0.30%
21.7th percentile
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 1.3.0 | — |
| k8s.io | kubernetes_cmd_kube-apiserver | 1.3.0 – 1.32.3 | — |
| kubernetes | kube-apiserver | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| msrc | azl3_kubernetes_1.30.10-11_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-13_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-16_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-18_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-20_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-21_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-22_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-19_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-21_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-23_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-25_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
osv3.1LOW
vendor_debian3.1LOW
vendor_msrc3.1LOW
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kube-apiserver: Network restriction bypass via race condition during namespace termination
vendor_redhat·2025-03-20·CVSS 3.1
CVE-2024-7598 [LOW] CWE-362 kube-apiserver: Network restriction bypass via race condition during namespace termination
kube-apiserver: Network restriction bypass via race condition during namespace termination
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
A flaw was found in Kubernetes. This vulnerability can allow a malicious or compromised pod to bypass network restrictions via the deletion of network policies before pod termination during namespace delet
Microsoft
Network restriction bypass via race condition during namespace termination
vendor_msrc·2025-03-11·CVSS 3.1
CVE-2024-7598 [LOW] CWE-362 Network restriction bypass via race condition during namespace termination
Network restriction bypass via race condition during namespace termination
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Debian
CVE-2024-7598: kubernetes - A security issue was discovered in Kubernetes where a malicious or compromised p...
vendor_debian·2024·CVSS 3.1
CVE-2024-7598 [LOW] CVE-2024-7598: kubernetes - A security issue was discovered in Kubernetes where a malicious or compromised p...
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
OSV
Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
osv·2025-03-25
CVE-2024-7598 Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
GHSA
Kubernetes kube-apiserver Vulnerable to Race Condition
ghsa·2025-03-20
CVE-2024-7598 [LOW] CWE-362 Kubernetes kube-apiserver Vulnerable to Race Condition
Kubernetes kube-apiserver Vulnerable to Race Condition
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
OSV
CVE-2024-7598: A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies duri
osv·2025-03-20·CVSS 3.1
CVE-2024-7598 [LOW] CVE-2024-7598: A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies duri
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
OSV
Kubernetes kube-apiserver Vulnerable to Race Condition
osv·2025-03-20
CVE-2024-7598 [LOW] Kubernetes kube-apiserver Vulnerable to Race Condition
Kubernetes kube-apiserver Vulnerable to Race Condition
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published