Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed

Permalink CVE-2026-33414

updated 4 weeks ago by @LeSuisse Activity log

Created suggestion 4 weeks, 1 day ago
@LeSuisse ignored
9 packages
- podman-tui
- podman-bootc
- cockpit-podman
- podman-compose
- podman-desktop
- nomad-driver-podman
- python312Packages.podman
- python313Packages.podman
- python314Packages.podman
4 weeks ago
@LeSuisse dismissed 4 weeks ago

PowerShell Command Injection in Podman HyperV Machine

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.

References

https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59 x_refsource_CONFIRM
https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed x_refsource_MISC

Affected products

podman

==>= 4.8.0, < 5.8.2

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

nixos-unstable 5.8.1
- nixpkgs-unstable 5.8.1
- nixos-unstable-small 5.8.1
nixos-25.11 5.7.0
- nixos-25.11-small 5.7.0
- nixpkgs-25.11-darwin 5.7.0

Ignored packages (9)

pkgs.podman-tui

Podman Terminal UI

nixos-unstable 1.11.1
- nixpkgs-unstable 1.11.1
- nixos-unstable-small 1.11.1
nixos-25.11 1.9.0
- nixos-25.11-small 1.9.0
- nixpkgs-25.11-darwin 1.9.0

pkgs.podman-bootc

Streamlining podman+bootc interactions

nixos-unstable 0.1.2
- nixpkgs-unstable 0.1.2
- nixos-unstable-small 0.1.2
nixos-25.11 0.1.2
- nixos-25.11-small 0.1.2
- nixpkgs-25.11-darwin 0.1.2

pkgs.cockpit-podman

Cockpit UI for podman containers

nixos-unstable 124
- nixpkgs-unstable 124
- nixos-unstable-small 124

pkgs.podman-compose

Implementation of docker-compose with podman backend

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0
nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

nixos-unstable 1.23.1
- nixpkgs-unstable 1.26.2
- nixos-unstable-small 1.26.2
nixos-25.11 1.23.1
- nixos-25.11-small 1.23.1
- nixpkgs-25.11-darwin 1.23.1

pkgs.nomad-driver-podman

Podman task driver for Nomad

nixos-unstable 0.6.4
- nixpkgs-unstable 0.6.4
- nixos-unstable-small 0.6.4
nixos-25.11 0.6.3
- nixos-25.11-small 0.6.3
- nixpkgs-25.11-darwin 0.6.3

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

nixos-25.11 5.6.0
- nixos-25.11-small 5.6.0
- nixpkgs-25.11-darwin 5.6.0

pkgs.python313Packages.podman

Python bindings for Podman's RESTful API

nixos-unstable 5.7.0
- nixpkgs-unstable 5.7.0
- nixos-unstable-small 5.7.0
nixos-25.11 5.6.0
- nixos-25.11-small 5.6.0
- nixpkgs-25.11-darwin 5.6.0

pkgs.python314Packages.podman

Python bindings for Podman's RESTful API

nixos-unstable 5.7.0
- nixpkgs-unstable 5.7.0
- nixos-unstable-small 5.7.0

Package maintainers

@vdemeester Vincent Demeester <vincent@sbr.pm>
@saschagrunert Sascha Grunert <mail@saschagrunert.de>

Windows only