Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Analysis
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Technical ContextAI
Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Improper Input Validation (CWE-20).
RemediationAI
Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| plucky | DNE | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| focal | not-affected | code not present |
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1.20.5+really1.20.2-1 | - |
| bookworm | fixed | 1.20.5+really1.20.2-1.1+deb12u1 | - |
| trixie | fixed | 1.32.3+ds-2 | - |
| forky, sid | fixed | 1.33.4+ds-1 | - |
| (unstable) | fixed | 1.20.5+really1.20.2-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18894
GHSA-hj2p-8wj8-pfq4