RHSA-2025%3A4211
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:6edfd1c1f180cdc40a7820b86378622030e45c662d498c4165c3f6fad0fcac29_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:6edfd1c1f180cdc40a7820b86378622030e45c662d498c4165c3f6fad0fcac29_amd64 |
| Red Hat | openshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le, *, openshift4/ose-hypershift-rhel9@sha256:1fe94af33fb1135a1d84c27ba106eedee7da87c661395687ccadf53c77309394_ppc64le |
| Red Hat | openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64, openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64, openshift4/ose-kube-proxy-rhel9@sha256:a99ae918b6d520fd9c4175b8abbec9317a003eb5d24ec9b2ac09f61c4cf80091_arm64 |
| Red Hat | openshift4/ose-baremetal-installer-rhel9@sha256:f04dcb2db986a3b5be641522b5028e4e4a8158fbb5e0794fac2ae975373e6ae2_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | openshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64, *, openshift4/ose-networking-console-plugin-rhel9@sha256:132ccf83ff6d0c7bf60caea3b28d78d01cfe2591972e027a075fe828612fed4f_amd64 |
| Red Hat | rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64 as a component of Red Hat OpenShift Container Platform 4.18 | rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_aarch64 |
| Red Hat | rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x as a component of Red Hat OpenShift Container Platform 4.18 | rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_s390x |
| Red Hat | openshift4/ose-networking-console-plugin-rhel9@sha256:86bb2ad1fb1631c463dd17fc295bedbdd87cbfa628190979b49aa5996046b90c_s390x as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-networking-console-plugin-rhel9@sha256:86bb2ad1fb1631c463dd17fc295bedbdd87cbfa628190979b49aa5996046b90c_s390x, *, * |
| Red Hat | openshift4/ose-machine-os-images-rhel9@sha256:26efcb8b05ee777b6bc6925fcb68d0124945dbec9f7e2cbd9293528d15bce17d_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, openshift4/ose-machine-os-images-rhel9@sha256:26efcb8b05ee777b6bc6925fcb68d0124945dbec9f7e2cbd9293528d15bce17d_arm64, * |
| Red Hat | openshift4/ose-image-customization-controller-rhel9@sha256:56698474e5602c9c2b126ee99109dad2bf635d98372f43ca335a88111d1d244b_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, openshift4/ose-image-customization-controller-rhel9@sha256:56698474e5602c9c2b126ee99109dad2bf635d98372f43ca335a88111d1d244b_arm64 |
| Red Hat | openshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, openshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le, openshift4/ose-machine-config-rhel9-operator@sha256:27dd6f53ca4f6566ca5e60c757ee5bdc24571da0b4b40c3f7310df8bc6c71ced_ppc64le |
| Red Hat | rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64 as a component of Red Hat OpenShift Container Platform 4.18 | *, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64, rhcos@sha256:13a50b94a301591edd7e781375b66687abc9c7d2f0eb1c1d49a3cfc836aa582a_x86_64 |
| Red Hat | openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x, openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x, openshift4/ose-tests-rhel9@sha256:c524ed370bb7aa6814919d68163f6a737550f42ce578516a8223c7c75a592537_s390x |
| Red Hat | openshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le, *, openshift4/ose-agent-installer-utils-rhel9@sha256:53c07057c7051d3dceda59a1e0ae8068303f3510b719a1d70aa24cb6179c09b5_ppc64le |
| Red Hat | openshift4/ose-agent-installer-node-agent-rhel9@sha256:b07734b58a6f8f97b30e74b04550cb3032cd074d2639827c95d29e89127134d0_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-agent-installer-node-agent-rhel9@sha256:b07734b58a6f8f97b30e74b04550cb3032cd074d2639827c95d29e89127134d0_amd64, *, * |
| Red Hat | openshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, openshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le, openshift4/ose-agent-installer-api-server-rhel9@sha256:7dc20674a8bff07cd9d9ae464dedf938c8113b7f359c5cb0c21ee0254a3feb82_ppc64le |
| Red Hat | openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64, openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64, openshift4/ose-cluster-etcd-rhel9-operator@sha256:306178f8a8399c6a0e338ec6af393972cc07534a07a66ec935ba6e29547b6c52_arm64 |
| Red Hat | openshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x, openshift4/ose-olm-operator-controller-rhel9@sha256:a5414bb1ba42202d90cd90764de5c7df3ff9cc4b37366b287521c240205df00c_s390x, * |
| Red Hat | openshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le, openshift4/ose-pod-rhel9@sha256:37ac03ee368b6fde5f8bdd8bb8d7a7233aaa8e3218f7878d1facad297f02784b_ppc64le, * |
| Red Hat | openshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x as a component of Red Hat OpenShift Container Platform 4.18 | openshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x, openshift4/ose-agent-installer-api-server-rhel9@sha256:5a0b56a5107b0c6465beb01afb08453741a09da5d49abe9cd478705833bac08e_s390x, * |
…and 180 more
Exploit Intelligence
- go.yml (github-poc)
Timeline
- May 1, 2025 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- May 16, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:4211 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2347423 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2354195 issue
- https://issues.redhat.com/browse/OCPBUGS-36610 advisory
- https://issues.redhat.com/browse/OCPBUGS-39305 advisory
- https://issues.redhat.com/browse/OCPBUGS-53278 advisory
- https://issues.redhat.com/browse/OCPBUGS-54369 advisory
- https://issues.redhat.com/browse/OCPBUGS-54594 advisory
- https://issues.redhat.com/browse/OCPBUGS-54698 advisory
- https://issues.redhat.com/browse/OCPBUGS-54817 advisory
- https://issues.redhat.com/browse/OCPBUGS-54947 advisory
- https://issues.redhat.com/browse/OCPBUGS-55116 advisory
- https://issues.redhat.com/browse/OCPBUGS-55146 advisory
- https://issues.redhat.com/browse/OCPBUGS-55172 advisory
- https://issues.redhat.com/browse/OCPBUGS-55240 advisory
- https://issues.redhat.com/browse/OCPBUGS-55242 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_4211.json advisory
- https://access.redhat.com/security/cve/CVE-2024-8676 advisory
…and 14 more