GHSA-cvxm-645q-p574
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector via Kubernetes API; PR:L for required pod-creation permission; AC:H for two-stage attack requiring victim pod with non-Always pull policy; S:C as compromise crosses into victim pod identity.
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold Kubernetes RBAC permissions sufficient to create pods in at least one namespace on the target cluster - specifically the ability to invoke the CRI checkpoint import path (e.g., via the kubelet checkpoint API or equivalent). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score is present in the provided data, so quantitative risk metrics cannot be cited - severity is vendor-stated as Critical via GHSA-cvxm-645q-p574. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with Kubernetes pod-creation RBAC permissions on a target namespace builds a malicious OCI checkpoint image that embeds forged image reference strings pointing to attacker-controlled registry content. They submit a pod spec that triggers containerd's CRI checkpoint import path, causing containerd to fetch the malicious image and register it locally under a tag matching a legitimate image expected by other workloads on the same node. … |
| Remediation | Update containerd to a patched release: 2.3.2, 2.2.5, or 2.1.9, available at https://github.com/containerd/containerd/releases. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Kubernetes clusters for containerd usage and identify vulnerable versions via container runtime inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Containerd
View allHost command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instructi
Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding p
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kub
Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, re
containerd is an open-source container runtime. Rated medium severity (CVSS 4.6), this vulnerability is low attack compl
containerd is an open-source container runtime. Rated medium severity (CVSS 6.9), this vulnerability is no authenticatio
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complex
containerd is an open-source container runtime. Rated medium severity (CVSS 4.6), this vulnerability is no authenticatio
containerd is a container runtime. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authen
Vendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SLES15-SP5-CHOST-BYOS-SAP-CCloud | Not-Affected |
| SLES15-SP6-CHOST-BYOS | Not-Affected |
| SLES15-SP6-CHOST-BYOS-Aliyun | Not-Affected |
| SLES15-SP6-CHOST-BYOS-Azure | Not-Affected |
| SLES15-SP6-CHOST-BYOS-EC2 | Not-Affected |
| SLES15-SP6-CHOST-BYOS-GCE | Not-Affected |
| SLES15-SP6-CHOST-BYOS-GDC | Not-Affected |
| SLES15-SP6-CHOST-BYOS-SAP-CCloud | Not-Affected |
| SLES15-SP7-CHOST-BYOS-Aliyun | Not-Affected |
| SLES15-SP7-CHOST-BYOS-Azure | Not-Affected |
| SLES15-SP7-CHOST-BYOS-EC2 | Not-Affected |
| SLES15-SP7-CHOST-BYOS-GCE | Not-Affected |
| SLES15-SP7-CHOST-BYOS-GDC | Not-Affected |
| SLES15-SP7-CHOST-BYOS-SAP-CCloud | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 12 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Micro 5.3 | Not-Affected |
| SUSE Linux Enterprise Micro 5.4 | Not-Affected |
| SUSE Linux Enterprise Micro 5.5 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 16.0 | Not-Affected |
| SUSE Linux Enterprise Server 16.1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Not-Affected |
| SUSE Linux Micro 6.0 | Not-Affected |
| SUSE Linux Micro 6.1 | Not-Affected |
| SUSE Linux Micro 6.2 | Not-Affected |
| SUSE Package Hub 15 SP7 | Affected |
| openSUSE Leap 16.0 | Not-Affected |
| SLES15-SP3-CHOST-BYOS-Aliyun | Not-Affected |
| SLES15-SP3-CHOST-BYOS-Azure | Not-Affected |
| SLES15-SP3-CHOST-BYOS-EC2 | Not-Affected |
| SLES15-SP3-CHOST-BYOS-GCE | Not-Affected |
| SLES15-SP3-CHOST-BYOS-SAP-CCloud | Not-Affected |
| SLES15-SP4-CHOST-BYOS | Not-Affected |
| SLES15-SP4-CHOST-BYOS-Aliyun | Not-Affected |
| SLES15-SP4-CHOST-BYOS-Azure | Not-Affected |
| SLES15-SP4-CHOST-BYOS-EC2 | Not-Affected |
| SLES15-SP4-CHOST-BYOS-GCE | Not-Affected |
| SLES15-SP4-CHOST-BYOS-SAP-CCloud | Not-Affected |
| SLES15-SP5-CHOST-BYOS-Aliyun | Not-Affected |
| SLES15-SP5-CHOST-BYOS-Azure | Not-Affected |
| SLES15-SP5-CHOST-BYOS-EC2 | Not-Affected |
| SLES15-SP5-CHOST-BYOS-GCE | Not-Affected |
| SLES15-SP5-CHOST-BYOS-GDC | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Not-Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Not-Affected |
| SUSE Manager Proxy 4.3 | Not-Affected |
| SUSE Manager Retail Branch Server 4.3 | Not-Affected |
| SUSE Manager Server 4.3 | Not-Affected |
| SUSE CaaS Platform 3.0 | Not-Affected |
| SUSE CaaS Platform 4.0 | Not-Affected |
| SUSE Enterprise Storage 6 | Not-Affected |
| SUSE Enterprise Storage 7 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Not-Affected |
| SUSE Linux Enterprise Micro 5.0 | Not-Affected |
| SUSE Linux Enterprise Micro 5.1 | Not-Affected |
| SUSE Linux Enterprise Micro 5.2 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 12 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Server 12 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15-LTSS | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Not-Affected |
| SUSE Manager Proxy 4.0 | Not-Affected |
| SUSE Manager Proxy 4.1 | Not-Affected |
| SUSE Manager Proxy 4.2 | Not-Affected |
| SUSE Manager Retail Branch Server 4.0 | Not-Affected |
| SUSE Manager Retail Branch Server 4.1 | Not-Affected |
| SUSE Manager Retail Branch Server 4.2 | Not-Affected |
| SUSE Manager Server 4.0 | Not-Affected |
| SUSE Manager Server 4.1 | Not-Affected |
| SUSE Manager Server 4.2 | Not-Affected |
| SUSE OpenStack Cloud 6 | Not-Affected |
| SUSE OpenStack Cloud 6-LTSS | Not-Affected |
| openSUSE Leap 15.3 | Not-Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Not-Affected |
| openSUSE Leap 15.6 | Affected |
| openSUSE Leap Micro 5.2 | Not-Affected |
| openSUSE Leap Micro 5.3 | Not-Affected |
| openSUSE Leap Micro 5.4 | Not-Affected |
| openSUSE Leap Micro 5.5 | Not-Affected |
| SLES-CHOST-BYOS-Aliyun | Not-Affected |
| SLES-CHOST-BYOS-Azure | Not-Affected |
| SLES-CHOST-BYOS-EC2 | Not-Affected |
| SLES-CHOST-BYOS-GCE | Not-Affected |
| SLES-CHOST-BYOS-GDC | Not-Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Not-Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41108