CVE-2025-0426

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.25 through 1.32.1 Kubernetes versions 1.30.0 through 1.30.9 Kubernetes versions 1.31.0 through 1.31.5 Kubernetes versions 1.32.0 through 1.32.1

Description A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. This can be achieved by sending a large number of requests to the read-only HTTP port, which is enabled by default on port 10255, to create container checkpoints, resulting in the creation of multiple checkpoint files in /var/lib/kubelet/checkpoints. However, for the issue to be exploitable, several factors must coincide, including the read-only port being enabled, the container runtime supporting container checkpointing, and the ContainerCheckpoint feature gate being enabled in the kubeapi.

Recommendations For versions 1.25 through 1.32.1, consider disabling the read-only HTTP port or restricting access to it until a patch is available. For versions 1.30.0 through 1.30.9, disable the ContainerCheckpoint feature gate in the kubeapi to prevent exploitation. For versions 1.31.0 through 1.31.5, update the container runtime to a version that does not support container checkpointing or disable the enable criu support parameter. For versions 1.32.0 through 1.32.1, restrict access to the /var/lib/kubelet/checkpoints directory to prevent disk filling. As a temporary workaround, consider disabling the container checkpointing feature in the container runtime until a patch is available.