VDB

RHSA-2025%3A4211

RHSA-2025%3A4211 PUBLISHED CVSS 7.400000095367432 HIGH

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Risk Scores

CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
Red Hatopenshift4/ose-ironic-machine-os-downloader-rhel9@sha256:6edfd1c1f180cdc40a7820b86378622030e45c662d498c4165c3f6fad0fcac29_amd64 as a component of Red Hat OpenShift Container Platform 4.18*, *, openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:6edfd1c1f180cdc40a7820b86378622030e45c662d498c4165c3f6fad0fcac29_amd64
Red Hatopenshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le, *, openshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le
Red Hatopenshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64 as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64, openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64, openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64
Red Hatopenshift4/ose-baremetal-installer-rhel9@sha256:f04dcb2db986a3b5be641522b5028e4e4a8158fbb5e0794fac2ae975373e6ae2_ppc64le as a component of Red Hat OpenShift Container Platform 4.18*, *, *
Red Hatopenshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64 as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64, *, openshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64
Red Hatrhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64 as a component of Red Hat OpenShift Container Platform 4.18rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64
Red Hatrhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x as a component of Red Hat OpenShift Container Platform 4.18rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x
Red Hatopenshift4/ose-networking-console-plugin-rhel9@sha256:86bb2ad1fb1631c463dd17fc295bedbdd87cbfa628190979b49aa5996046b90c_s390x as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-networking-console-plugin-rhel9@sha256:86bb2ad1fb1631c463dd17fc295bedbdd87cbfa628190979b49aa5996046b90c_s390x, *, *
Red Hatopenshift4/ose-machine-os-images-rhel9@sha256:26efcb8b05ee777b6bc6925fcb68d0124945dbec9f7e2cbd9293528d15bce17d_arm64 as a component of Red Hat OpenShift Container Platform 4.18*, openshift4/ose-machine-os-images-rhel9@sha256:26efcb8b05ee777b6bc6925fcb68d0124945dbec9f7e2cbd9293528d15bce17d_arm64, *
Red Hatopenshift4/ose-image-customization-controller-rhel9@sha256:56698474e5602c9c2b126ee99109dad2bf635d98372f43ca335a88111d1d244b_arm64 as a component of Red Hat OpenShift Container Platform 4.18*, *, openshift4/ose-image-customization-controller-rhel9@sha256:56698474e5602c9c2b126ee99109dad2bf635d98372f43ca335a88111d1d244b_arm64
Red Hatopenshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le as a component of Red Hat OpenShift Container Platform 4.18*, openshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le, openshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le
Red Hatrhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64 as a component of Red Hat OpenShift Container Platform 4.18*, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64
Red Hatopenshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x, openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x, openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x
Red Hatopenshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le, *, openshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le
Red Hatopenshift4/ose-agent-installer-node-agent-rhel9@sha256:b07734b58a6f8f97b30e74b04550cb3032cd074d2639827c95d29e89127134d0_amd64 as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-agent-installer-node-agent-rhel9@sha256:b07734b58a6f8f97b30e74b04550cb3032cd074d2639827c95d29e89127134d0_amd64, *, *
Red Hatopenshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le as a component of Red Hat OpenShift Container Platform 4.18*, openshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le, openshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le
Red Hatopenshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64 as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64, openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64, openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64
Red Hatopenshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x, openshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x, *
Red Hatopenshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le, openshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le, *
Red Hatopenshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x as a component of Red Hat OpenShift Container Platform 4.18openshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x, openshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x, *

…and 180 more

Exploit Intelligence

Timeline

  • May 1, 2025 CVE Published
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • May 16, 2026 CVE Updated

References

…and 14 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›