CVE-2025-0426
published 2025-02-13CVE-2025-0426: A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint…
PriorityP422medium6.2CVSS 3.1
AVLACLPRNUINSUCNINAH
EPSS
0.35%
26.8th percentile
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.29.14 | 1.29.14 |
| k8s.io | kubernetes | >= 1.30.0 < 1.30.10 | 1.30.10 |
| k8s.io | kubernetes | >= 1.31.0 < 1.31.6 | 1.31.6 |
| k8s.io | kubernetes | >= 1.32.0 < 1.32.2 | 1.32.2 |
| kubernetes | kubelet | 1.30.0 – 1.30.9 | — |
| kubernetes | kubelet | 1.31.0 – 1.31.5 | — |
| kubernetes | kubelet | 1.32.0 – 1.32.1 | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| msrc | azl3_kubernetes_1.30.10-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.3-2_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.16.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv6.2MEDIUM
vendor_debian6.2MEDIUM
vendor_msrc6.2MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
k8s.io/kubernetes: kubelet: node denial of service via kubelet checkpoint API
vendor_redhat·2025-02-13·CVSS 6.2
CVE-2025-0426 [MEDIUM] CWE-400 k8s.io/kubernetes: kubelet: node denial of service via kubelet checkpoint API
k8s.io/kubernetes: kubelet: node denial of service via kubelet checkpoint API
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A flaw was found in Kubernetes. A large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may fill the Node's disk, potentially leading to a Node denial of service.
Statement: OpenShift is not impacted by this vulnerability since the kubelet's unauthenticated read-only port is not enabled in that product.
Mitigation: To mitigate this vulnerability, disable the kubelet read-only port by setting `readOnlyPort: 0` in `/var/lib/kubelet/config.ya
Microsoft
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by fi
vendor_msrc·2025-02-11·CVSS 6.2
CVE-2025-0426 [MEDIUM] CWE-400 A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by fi
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identifi
Debian
CVE-2025-0426: kubernetes - A security issue was discovered in Kubernetes where a large number of container ...
vendor_debian·2025·CVSS 6.2
CVE-2025-0426 [MEDIUM] CVE-2025-0426: kubernetes - A security issue was discovered in Kubernetes where a large number of container ...
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
OSV
Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes
osv·2025-03-03
CVE-2025-0426 Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes
Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes
Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes
GHSA
Node Denial of Service via kubelet Checkpoint API
ghsa·2025-02-13
CVE-2025-0426 [MEDIUM] CWE-400 Node Denial of Service via kubelet Checkpoint API
Node Denial of Service via kubelet Checkpoint API
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
OSV
CVE-2025-0426: A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP
osv·2025-02-13·CVSS 6.2
CVE-2025-0426 [MEDIUM] CVE-2025-0426: A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
OSV
Node Denial of Service via kubelet Checkpoint API
osv·2025-02-13
CVE-2025-0426 [MEDIUM] Node Denial of Service via kubelet Checkpoint API
Node Denial of Service via kubelet Checkpoint API
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
No detection rules found.
No public exploits indexed.
2025-02-13
Published