Untriaged
Permalink
CVE-2025-4437
5.7 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
Cri-o: large /etc/passwd file may lead to denial of service
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.
References
- https://access.redhat.com/security/cve/CVE-2025-4437 x_refsource_REDHAT vdb-entry
- RHBZ#2375084 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-4437 x_refsource_REDHAT vdb-entry
- RHBZ#2375084 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-4437 x_refsource_REDHAT vdb-entry
- RHBZ#2375084 issue-tracking x_refsource_REDHAT
Affected products
cri-o
rhcos
Matching in nixpkgs
pkgs.cri-o
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
pkgs.cri-o-unwrapped
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
Package maintainers
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
-
@vdemeester Vincent Demeester <vincent@sbr.pm>