RHSA-2025%3A3297
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/ose-csi-external-provisioner-rhel9@sha256:e76c1a9c893c0aff2f63da557314126bcd57d57dfecdfc86ae8c54a7aefbe5af_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-csi-external-provisioner-rhel9@sha256:e76c1a9c893c0aff2f63da557314126bcd57d57dfecdfc86ae8c54a7aefbe5af_ppc64le |
| Red Hat | openshift4/ose-deployer-rhel9@sha256:9e021e16cd69f51f6fdeb960095ddabe86b91a229a421e2a14de7e9fe1dc0079_s390x as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-deployer-rhel9@sha256:9e021e16cd69f51f6fdeb960095ddabe86b91a229a421e2a14de7e9fe1dc0079_s390x |
| Red Hat | openshift4/ose-cluster-dns-rhel9-operator@sha256:f2c19c1ef80d986843a42bb60f0e45cc4bf934be572ec3c94871dc68bf105f8e_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | * |
| Red Hat | openshift4/ose-cluster-csi-snapshot-controller-rhel9-operator@sha256:7bbf0e539f413e5dd900435ff32fed9cc7c7c6fc53a6b90d3cc51192586343a6_amd64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-cluster-csi-snapshot-controller-rhel9-operator@sha256:7bbf0e539f413e5dd900435ff32fed9cc7c7c6fc53a6b90d3cc51192586343a6_amd64 |
| Red Hat | openshift4/ose-prometheus-operator-admission-webhook-rhel9@sha256:c72a2935345f14d23e0b4e421354974b6b57d4f0c9e77b8022272b40fc16d2b7_s390x as a component of Red Hat OpenShift Container Platform 4.17 | * |
| Red Hat | openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:5f05ac15ef7dc205d3205816e5968d74e6762332d5a4ead4625be478161c0de6_arm64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:5f05ac15ef7dc205d3205816e5968d74e6762332d5a4ead4625be478161c0de6_arm64 |
| Red Hat | openshift4/ose-baremetal-runtimecfg-rhel9@sha256:2ca41d29fafcb0982e87532ad4bcf021c648664555ae1be4cd3774c49a1f2444_s390x as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-baremetal-runtimecfg-rhel9@sha256:2ca41d29fafcb0982e87532ad4bcf021c648664555ae1be4cd3774c49a1f2444_s390x |
| Red Hat | openshift4/ose-coredns-rhel9@sha256:bc471f69d33df100da2b930ae436da3bb978fd86d43704f4afb18e04ccd06f3e_s390x as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-coredns-rhel9@sha256:bc471f69d33df100da2b930ae436da3bb978fd86d43704f4afb18e04ccd06f3e_s390x |
| Red Hat | openshift4/ose-networking-console-plugin-rhel9@sha256:61f83ba78deaf0e104296d46b1b23a3cf22ce703aea182f5e899c98ef48eb412_s390x as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-networking-console-plugin-rhel9@sha256:61f83ba78deaf0e104296d46b1b23a3cf22ce703aea182f5e899c98ef48eb412_s390x |
| Red Hat | openshift4/cloud-network-config-controller-rhel9@sha256:b52946437bf63227a8dd9b22b069e61a9fa0bb9a5e4be7f5cedf3f55c4ec35cc_arm64 as a component of Red Hat OpenShift Container Platform 4.17 | * |
| Red Hat | openshift4/ose-cluster-bootstrap-rhel9@sha256:3c7654a40a54e62fa13277cdc9c4d79aef1ffc467cd3288ce2db5134de387985_arm64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-cluster-bootstrap-rhel9@sha256:3c7654a40a54e62fa13277cdc9c4d79aef1ffc467cd3288ce2db5134de387985_arm64 |
| Red Hat | openshift4/ovirt-csi-driver-rhel9-operator@sha256:ad10c5c781c2ec18084139b7fc7e369a7f197f6ec9b464b54a0ac77ebd7709fb_amd64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ovirt-csi-driver-rhel9-operator@sha256:ad10c5c781c2ec18084139b7fc7e369a7f197f6ec9b464b54a0ac77ebd7709fb_amd64 |
| Red Hat | openshift4/ose-cloud-credential-rhel9-operator@sha256:b35904e3a010256a73750eb8dfb185d81b12375a90c55cc30cc05c43cb4b2b86_amd64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-cloud-credential-rhel9-operator@sha256:b35904e3a010256a73750eb8dfb185d81b12375a90c55cc30cc05c43cb4b2b86_amd64 |
| Red Hat | openshift4/ose-csi-driver-shared-resource-webhook-rhel9@sha256:156bee713e5c1e39172b14b99c66bb0a80a45d425ee58b1b631e005110a2bd26_amd64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-csi-driver-shared-resource-webhook-rhel9@sha256:156bee713e5c1e39172b14b99c66bb0a80a45d425ee58b1b631e005110a2bd26_amd64 |
| Red Hat | openshift4/ose-operator-lifecycle-manager-rhel9@sha256:bb4eef9077ca6dd17e9e8dd92d5ef7aba12859f6510fe19564047dd4f4b810ee_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-operator-lifecycle-manager-rhel9@sha256:bb4eef9077ca6dd17e9e8dd92d5ef7aba12859f6510fe19564047dd4f4b810ee_ppc64le |
| Red Hat | openshift4/ose-openshift-controller-manager-rhel9@sha256:54eae4e13bf84e4400313581a9c1650763ced089bb063830f272e5c6a111c91d_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-openshift-controller-manager-rhel9@sha256:54eae4e13bf84e4400313581a9c1650763ced089bb063830f272e5c6a111c91d_ppc64le |
| Red Hat | openshift4/ose-machine-api-rhel9-operator@sha256:7c1966265800c8279bc94d13ffc5724df53045604945f79113041b9e61ad4df2_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-machine-api-rhel9-operator@sha256:7c1966265800c8279bc94d13ffc5724df53045604945f79113041b9e61ad4df2_ppc64le |
| Red Hat | openshift4/ose-machine-os-images-rhel9@sha256:6c04189876f5bd302ce07621420d3f5c6d7067395ce00a675d2f713bf8698a20_s390x as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-machine-os-images-rhel9@sha256:6c04189876f5bd302ce07621420d3f5c6d7067395ce00a675d2f713bf8698a20_s390x |
| Red Hat | openshift4/ose-oauth-proxy-rhel9@sha256:d42f59725fcbc69cef5d354a55d07f3dc37c6ce2956c6243b787b0402d7c7f63_amd64 as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-oauth-proxy-rhel9@sha256:d42f59725fcbc69cef5d354a55d07f3dc37c6ce2956c6243b787b0402d7c7f63_amd64 |
| Red Hat | openshift4/ose-kube-proxy-rhel9@sha256:484bc5e0776b4d41829454b41d5cc682eb5b1317c0acfb564a1e4b0396401080_ppc64le as a component of Red Hat OpenShift Container Platform 4.17 | openshift4/ose-kube-proxy-rhel9@sha256:484bc5e0776b4d41829454b41d5cc682eb5b1317c0acfb564a1e4b0396401080_ppc64le |
…and 632 more
Timeline
- Apr 3, 2025 CVE Published
- Apr 24, 2026 CVE Updated
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2025:3297 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2346112 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2346421 issue
- https://issues.redhat.com/browse/OCPBUGS-48439 advisory
- https://issues.redhat.com/browse/OCPBUGS-49816 advisory
- https://issues.redhat.com/browse/OCPBUGS-51117 advisory
- https://issues.redhat.com/browse/OCPBUGS-52961 advisory
- https://issues.redhat.com/browse/OCPBUGS-53071 advisory
- https://issues.redhat.com/browse/OCPBUGS-53086 advisory
- https://issues.redhat.com/browse/OCPBUGS-53283 advisory
- https://issues.redhat.com/browse/OCPBUGS-53441 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3297.json advisory
- https://access.redhat.com/security/cve/CVE-2024-8676 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-8676 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-8676 advisory
- https://access.redhat.com/security/cve/CVE-2025-0624 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-0624 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-0624 advisory
…and 5 more