CVE-2025-6032

| EUVD-2025-19013 HIGH
2025-06-24 [email protected] GHSA-65gg-3w2w-hr4h
Information Disclosure Redhat Suse
8.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19013
CVE Published
Jun 24, 2025 - 14:15 nvd
HIGH 8.3

DescriptionNVD

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

AnalysisAI

CVE-2025-6032 is a TLS certificate validation bypass in Podman's machine init command that fails to verify certificates when downloading VM images from OCI registries, enabling Man-in-the-Middle (MITM) attacks. This affects users running Podman machine initialization on networked systems where attackers can intercept traffic. While the CVSS score of 8.3 indicates high severity with potential for confidentiality, integrity, and availability impact, real-world exploitation requires specific network positioning (AC:H - high attack complexity) and user interaction (UI:R), suggesting moderate practical risk despite the high base score.

Technical ContextAI

Podman machine init uses OCI registry pull mechanics to download pre-built VM images for machine provisioning. The vulnerability exists in the TLS/HTTPS implementation during image download—specifically, the code fails to implement proper certificate chain validation as defined in CWE-295 (Improper Certificate Validation). This is a classic cryptographic failure where the application establishes an encrypted channel without authenticating the remote endpoint's identity. The affected technology involves OCI Distribution Spec compliance, containerd image services, and Go's crypto/tls package. When a user runs podman machine init, the system should validate that the OCI registry's certificate matches expected trust anchors; instead, it accepts any certificate or potentially skips validation entirely. This allows an attacker positioned on the network path (AV:N) to serve malicious VM images while the client trusts the connection as legitimate.

RemediationAI

Patch: Update Podman to a version that implements proper TLS certificate validation in the machine init code path. Users should consult Red Hat Security Advisories (RHSA) and podman.io for the specific patched release. Workarounds pending patch availability: (1) Perform podman machine init only on networks you trust (corporate VPN, home network with TLS inspection disabled); (2) Pre-stage VM images locally and configure Podman to use local OCI registries rather than remote pulls; (3) Use network segmentation or firewall rules to restrict outbound registry connections; (4) Implement TLS inspection appliances or proxies on your network boundary to detect certificate anomalies. Mitigations: Monitor for unexpected VM image downloads in Podman logs; verify image checksums post-download if vendor provides them; consider using Podman's --image flag to pin known-good images rather than using defaults from remote registries.

Vendor StatusVendor

Ubuntu

Priority: Medium
podman
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
upstream needs-triage -
plucky ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1108473
libpod
Release Status Fixed Version Urgency
bullseye not-affected - -
bookworm not-affected - -
(unstable) fixed (unfixed) -
podman
Release Status Fixed Version Urgency
trixie fixed 5.4.2+ds1-2 -
forky, sid fixed 5.7.0+ds2-3 -
(unstable) fixed 5.4.2+ds1-2 -

Share

CVE-2025-6032 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy