Unknown · Kubernetes · CVE-2025-0426
**Name of the Vulnerable Software and Affected Versions**
Kubernetes versions 1.25 through 1.32.1
Kubernetes versions 1.30.0 through 1.30.9
Kubernetes versions 1.31.0 through 1.31.5
Kubernetes versions 1.32.0 through 1.32.1
**Description**
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. This can be achieved by sending a large number of requests to the read-only HTTP port, which is enabled by default on port 10255, to create container checkpoints, resulting in the creation of multiple checkpoint files in /var/lib/kubelet/checkpoints. However, for the issue to be exploitable, several factors must coincide, including the read-only port being enabled, the container runtime supporting container checkpointing, and the ContainerCheckpoint feature gate being enabled in the kubeapi.
**Recommendations**
For versions 1.25 through 1.32.1, consider disabling the read-only HTTP port or restricting access to it until a patch is available.
For versions 1.30.0 through 1.30.9, disable the ContainerCheckpoint feature gate in the kubeapi to prevent exploitation.
For versions 1.31.0 through 1.31.5, update the container runtime to a version that does not support container checkpointing or disable the enable criu support parameter.
For versions 1.32.0 through 1.32.1, restrict access to the `/var/lib/kubelet/checkpoints` directory to prevent disk filling.
As a temporary workaround, consider disabling the container checkpointing feature in the container runtime until a patch is available.