Podman Desktop
Monthly
Denial-of-service and information disclosure in Podman Desktop prior to 1.26.2 stem from an unauthenticated HTTP server that any network attacker can reach without credentials or user interaction. By abusing missing connection limits and timeouts, an attacker exhausts file descriptors and kernel memory to crash the application or freeze the entire host, while verbose error responses leak internal filesystem paths and system details (including Windows usernames). SSVC marks exploitation as proof-of-concept and automatable; publicly available exploit code exists, but EPSS probability is low (0.06%, 19th percentile).
Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.
Denial-of-service and information disclosure in Podman Desktop prior to 1.26.2 stem from an unauthenticated HTTP server that any network attacker can reach without credentials or user interaction. By abusing missing connection limits and timeouts, an attacker exhausts file descriptors and kernel memory to crash the application or freeze the entire host, while verbose error responses leak internal filesystem paths and system details (including Windows usernames). SSVC marks exploitation as proof-of-concept and automatable; publicly available exploit code exists, but EPSS probability is low (0.06%, 19th percentile).
Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.