Github.Com Cri-O Cri-O vulnerabilities

CVE-2025-4437 [MEDIUM] CWE-770 CRI-O has Potential High Memory Consumption from File Read CRI-O has Potential High Memory Consumption from File Read There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be kill

CVE-2025-0750 [MEDIUM] CWE-22 CRI-O Path Traversal vulnerability CRI-O Path Traversal vulnerability A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

CVE-2024-8676 [MEDIUM] CWE-285 CRI-O: Maliciously structured checkpoint file can gain arbitrary node access CRI-O: Maliciously structured checkpoint file can gain arbitrary node access ### Impact ### Patches 1.31.1, 1.30.6, 1.29.8 ### Workarounds set `enable_criu_support = false` ### References _Are there any links users can visit to find out more?_

CVE-2024-5154 [HIGH] CWE-22 malicious container creates symlink "mtab" on the host External malicious container creates symlink "mtab" on the host External ### Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM scratch COPY --from=source /bin /bin COPY --

CVE-2024-3154 [HIGH] CWE-77 CRI-O vulnerable to an arbitrary systemd property injection CRI-O vulnerable to an arbitrary systemd property injection ### Impact On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvaria

CVE-2023-6476 [MEDIUM] CWE-400 CRI-O's pods can break out of resource confinement on cgroupv2 CRI-O's pods can break out of resource confinement on cgroupv2 ### Impact _What kind of vulnerability is it? Who is impacted?_ All versions of CRI-O running on cgroupv2 nodes. Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, [support was added](https://github.com/cri-o/cri-o/pull/4479) to support an experimental annotation that allows a user to request s

CVE-2022-4318 [MEDIUM] CWE-538 CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation ### Impact It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry. Note: because the pod author is in control of the container's /etc/passwd, this is not considered a new ri

CVE-2022-2995 [HIGH] CWE-284 CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is

CVE-2022-1708 [HIGH] CWE-400 Node DOS by way of memory exhaustion through ExecSync request in CRI-O Node DOS by way of memory exhaustion through ExecSync request in CRI-O ### Description An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output an

CVE-2022-27652 [MEDIUM] CWE-276 Incorrect Default Permissions in CRI-O Incorrect Default Permissions in CRI-O ### Impact A bug was found in CRI-O where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise

CVE-2022-0811 [HIGH] CWE-94 Code Injection in CRI-O Code Injection in CRI-O ### Impact A flaw introduced in CRI-O version 1.19 which an attacker can use to bypass the safeguards and set arbitrary kernel parameters on the host. As a result, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the `kernel.core_pattern` kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster. ### Patches The patches w

CVE-2022-0532 [MEDIUM] CWE-732 Incorrect Permission Assignment for Critical Resource in CRI-O Incorrect Permission Assignment for Critical Resource in CRI-O An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.