CVE-2024-8676
published 2024-11-26CVE-2024-8676: A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that…
PriorityP348high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.77%
51.1th percentile
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | cri-o_cri-o | >= 0 < 1.29.11 | 1.29.11 |
| github.com | cri-o_cri-o | >= 1.30.0 < 1.30.8 | 1.30.8 |
| github.com | cri-o_cri-o | >= 1.31.0 < 1.31.3 | 1.31.3 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o
osv·2024-12-04
CVE-2024-8676 CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o
GHSA
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
ghsa·2024-11-26
CVE-2024-8676 [MEDIUM] CWE-285 CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
### Impact
### Patches
1.31.1, 1.30.6, 1.29.8
### Workarounds
set `enable_criu_support = false`
### References
_Are there any links users can visit to find out more?_
OSV
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
osv·2024-11-26
CVE-2024-8676 [MEDIUM] CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
### Impact
### Patches
1.31.1, 1.30.6, 1.29.8
### Workarounds
set `enable_criu_support = false`
### References
_Are there any links users can visit to find out more?_
Red Hat
cri-o: Checkpoint restore can be triggered from different namespaces
vendor_redhat·2024-11-26·CVSS 7.4
CVE-2024-8676 [HIGH] CWE-285 cri-o: Checkpoint restore can be triggered from different namespaces
cri-o: Checkpoint restore can be triggered from different namespaces
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a co
No detection rules found.
No public exploits indexed.
https://access.redhat.com/errata/RHBA-2024:10826https://access.redhat.com/errata/RHSA-2025:0648https://access.redhat.com/errata/RHSA-2025:1908https://access.redhat.com/errata/RHSA-2025:3297https://access.redhat.com/errata/RHSA-2025:4211https://access.redhat.com/errata/RHSA-2025:9765https://access.redhat.com/security/cve/CVE-2024-8676https://bugzilla.redhat.com/show_bug.cgi?id=2313842
2024-11-26
Published