Skip to main content

Podman. The CVE-2025-6032

| EUVDEUVD-2025-19013 HIGH
Improper Certificate Validation (CWE-295)
2025-06-24 secalert@redhat.com GHSA-65gg-3w2w-hr4h
8.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19013
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 14:15 nvd
HIGH 8.3

DescriptionCVE.org

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

AnalysisAI

CVE-2025-6032 is a TLS certificate validation bypass in Podman's machine init command that fails to verify certificates when downloading VM images from OCI registries, enabling Man-in-the-Middle (MITM) attacks. This affects users running Podman machine initialization on networked systems where attackers can intercept traffic. While the CVSS score of 8.3 indicates high severity with potential for confidentiality, integrity, and availability impact, real-world exploitation requires specific network positioning (AC:H - high attack complexity) and user interaction (UI:R), suggesting moderate practical risk despite the high base score.

Technical ContextAI

Podman machine init uses OCI registry pull mechanics to download pre-built VM images for machine provisioning. The vulnerability exists in the TLS/HTTPS implementation during image download—specifically, the code fails to implement proper certificate chain validation as defined in CWE-295 (Improper Certificate Validation). This is a classic cryptographic failure where the application establishes an encrypted channel without authenticating the remote endpoint's identity. The affected technology involves OCI Distribution Spec compliance, containerd image services, and Go's crypto/tls package. When a user runs podman machine init, the system should validate that the OCI registry's certificate matches expected trust anchors; instead, it accepts any certificate or potentially skips validation entirely. This allows an attacker positioned on the network path (AV:N) to serve malicious VM images while the client trusts the connection as legitimate.

RemediationAI

Patch: Update Podman to a version that implements proper TLS certificate validation in the machine init code path. Users should consult Red Hat Security Advisories (RHSA) and podman.io for the specific patched release. Workarounds pending patch availability: (1) Perform podman machine init only on networks you trust (corporate VPN, home network with TLS inspection disabled); (2) Pre-stage VM images locally and configure Podman to use local OCI registries rather than remote pulls; (3) Use network segmentation or firewall rules to restrict outbound registry connections; (4) Implement TLS inspection appliances or proxies on your network boundary to detect certificate anomalies. Mitigations: Monitor for unexpected VM image downloads in Podman logs; verify image checksums post-download if vendor provides them; consider using Podman's --image flag to pin known-good images rather than using defaults from remote registries.

Vendor StatusVendor

Ubuntu

Priority: Medium
podman
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
upstream needs-triage -
plucky ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1108473
libpod
Release Status Fixed Version Urgency
bullseye not-affected - -
bookworm not-affected - -
(unstable) fixed (unfixed) -
podman
Release Status Fixed Version Urgency
trixie fixed 5.4.2+ds1-2 -
forky, sid fixed 5.7.0+ds2-3 -
(unstable) fixed 5.4.2+ds1-2 -

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.94 Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.13 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sle-micro/5.5:2.0.4-5.5.357 Image SLES15-SP5-Manager-Proxy-5-0-BYOS Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2 Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE Image SLES15-SP5-Manager-Server-5-0 Image SLES15-SP5-Manager-Server-5-0-Azure-llc Image SLES15-SP5-Manager-Server-5-0-Azure-ltd Image SLES15-SP5-Manager-Server-5-0-BYOS Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2 Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE Image SLES15-SP5-Manager-Server-5-0-EC2-llc Image SLES15-SP5-Manager-Server-5-0-EC2-ltd Image SLES15-SP5-Micro-5-5 Image SLES15-SP5-Micro-5-5-Azure Image SLES15-SP5-Micro-5-5-BYOS Image SLES15-SP5-Micro-5-5-BYOS-Azure Image SLES15-SP5-Micro-5-5-BYOS-EC2 Image SLES15-SP5-Micro-5-5-BYOS-GCE Image SLES15-SP5-Micro-5-5-EC2 Image SLES15-SP5-Micro-5-5-GCE Affected
Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Affected
SUSE Enterprise Storage 7.1 Fixed

Share

CVE-2025-6032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy