GHSA-rgh6-rfwx-v388
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector requiring the ability to introduce a checkpoint (PR:L); crossing the container-to-host boundary is a scope change (S:C) yielding high confidentiality only (C:H), with no integrity or availability impact.
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via kubectl logs because the plugin restores container.log from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the containerd CRI plugin performs a checkpoint restore of an attacker-controlled or attacker-influenced checkpoint image containing a `container.log` entry that is a symlink to a host file; the payload is then read when someone invokes `kubectl logs` against the restored container. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.2 (High) with vector AV:L/AC:L/AT:N/PR:N/UI:N and VC:H plus SC:H, signalling high confidentiality impact on both the vulnerable and a subsequent system (the host) with local access and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker able to supply or influence a container checkpoint image embeds a `container.log` entry that is actually a symlink to a sensitive host file such as `/etc/shadow` or a service-account token. After the malicious checkpoint is restored on a node, the attacker (or an unwitting operator) runs `kubectl logs` against the resulting pod, and containerd dereferences the symlink and returns the host file's contents. … |
| Remediation | Vendor-released patch: upgrade to containerd 2.1.9, 2.2.5, or 2.3.2 depending on your branch (2.1.x → 2.1.9, 2.2.x → 2.2.5, 2.3.x → 2.3.2), as documented in advisory GHSA-rgh6-rfwx-v388 (https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388); Ubuntu users should apply the packages from USN-8472-1 and USN-8473-1 (https://ubuntu.com/security/notices/USN-8472-1, https://ubuntu.com/security/notices/USN-8473-1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Kubernetes clusters using containerd 2.x versions prior to 2.1.9, 2.2.5, or 2.3.2. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Containerd
View allHost command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instructi
Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding p
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrup
Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, re
containerd is an open-source container runtime. Rated medium severity (CVSS 4.6), this vulnerability is low attack compl
containerd is an open-source container runtime. Rated medium severity (CVSS 6.9), this vulnerability is no authenticatio
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complex
containerd is an open-source container runtime. Rated medium severity (CVSS 4.6), this vulnerability is no authenticatio
containerd is a container runtime. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authen
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SLES15-SP5-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP6-CHOST-BYOS | Affected |
| SLES15-SP6-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP6-CHOST-BYOS-Azure | Affected |
| SLES15-SP6-CHOST-BYOS-EC2 | Affected |
| SLES15-SP6-CHOST-BYOS-GCE | Affected |
| SLES15-SP6-CHOST-BYOS-GDC | Affected |
| SLES15-SP6-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP7-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP7-CHOST-BYOS-Azure | Affected |
| SLES15-SP7-CHOST-BYOS-EC2 | Affected |
| SLES15-SP7-CHOST-BYOS-GCE | Affected |
| SLES15-SP7-CHOST-BYOS-GDC | Affected |
| SLES15-SP7-CHOST-BYOS-SAP-CCloud | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 12 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Package Hub 15 SP7 | Affected |
| openSUSE Leap 16.0 | Affected |
| SLES15-SP3-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP3-CHOST-BYOS-Azure | Affected |
| SLES15-SP3-CHOST-BYOS-EC2 | Affected |
| SLES15-SP3-CHOST-BYOS-GCE | Affected |
| SLES15-SP3-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP4-CHOST-BYOS | Affected |
| SLES15-SP4-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP4-CHOST-BYOS-Azure | Affected |
| SLES15-SP4-CHOST-BYOS-EC2 | Affected |
| SLES15-SP4-CHOST-BYOS-GCE | Affected |
| SLES15-SP4-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP5-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP5-CHOST-BYOS-Azure | Affected |
| SLES15-SP5-CHOST-BYOS-EC2 | Affected |
| SLES15-SP5-CHOST-BYOS-GCE | Affected |
| SLES15-SP5-CHOST-BYOS-GDC | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP6 | Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE CaaS Platform 3.0 | Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Affected |
| SUSE Linux Enterprise Micro 5.0 | Affected |
| SUSE Linux Enterprise Micro 5.1 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Module for Containers 12 | Affected |
| SUSE Linux Enterprise Module for Containers 15 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Server 12 | Affected |
| SUSE Linux Enterprise Server 12 SP3 | Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server 15 | Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 15-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| SUSE OpenStack Cloud 6 | Affected |
| SUSE OpenStack Cloud 6-LTSS | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
| openSUSE Leap 15.6 | Affected |
| openSUSE Leap Micro 5.2 | Affected |
| openSUSE Leap Micro 5.3 | Affected |
| openSUSE Leap Micro 5.4 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| SLES-CHOST-BYOS-Aliyun | Affected |
| SLES-CHOST-BYOS-Azure | Affected |
| SLES-CHOST-BYOS-EC2 | Affected |
| SLES-CHOST-BYOS-GCE | Affected |
| SLES-CHOST-BYOS-GDC | Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41110