Listen to this Post
The CVE-2025-XXXX vulnerability in CRI-O stems from its user creation logic. When a Kubernetes pod specifies a `securityContext.runAsUser` with a user ID not present in the container’s `/etc/passwd` file, CRI-O enters a code path to create that user. As part of this process, it reads the entire contents of the container’s `/etc/passwd` file into memory. Standard passwd files are small, but an attacker can craft a malicious container image with an extremely large `/etc/passwd` file. When this container is deployed with a non-existent runAsUser, CRI-O will read the entire massive file, allocating a significant and disproportionate amount of memory. This uncontrolled memory consumption can lead to the CRI-O process being killed by the host’s Out-of-Memory (OOM) killer, resulting in a denial-of-service condition for the entire node and disrupting all other pods scheduled on it.
Platform: Container Runtime
Version: Up to 1.xx.x
Vulnerability: DoS
Severity: Moderate
date: 2025-08-20
Prediction: 2025-09-17
What Undercode Say:
`kubectl run attacker –image=malicious-image-with-huge-passwd –overrides='{“spec”: {“securityContext”: {“runAsUser”: 9999}}}’`
`cat /dev/urandom | head -c 1000000000 >> ./etc/passwd`
`docker build -t malicious-image-with-huge-passwd .`
How Exploit:
Create a pod with a malicious image containing a gigabyte-sized `/etc/passwd` file and a `runAsUser` not in the file. CRI-O’s memory usage spikes, triggering the OOM killer.
Protection from this CVE
Update CRI-O to the latest patched version. Implement pod security standards (e.g., PSA) to restrict the ability to set runAsUser. Use image scanning tools to reject images with anomalously large `/etc/passwd` files.
Impact:
Denial-of-service on the Kubernetes node, causing termination of the CRI-O runtime and all hosted pods. Cluster instability and potential service downtime.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
