Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of Kubernetes Security Vulnerability (CVE-2025-0426)
Updated on 2025-03-26 GMT+08:00

Notice of Kubernetes Security Vulnerability (CVE-2025-0426)

CVE-2025-0426 is a DoS vulnerability found in Kubernetes, impacting the kubelet read-only HTTP port. By sending numerous checkpoint requests to the endpoint, an attacker can rapidly fill up the node's disk space, leading to a denial of service on the node.

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Denial of service

CVE-2025-0426

Medium

2025-02-13

Impact

This vulnerability affects kubelet of the following versions:

  • kubelet v1.32.0–v1.32.1
  • kubelet v1.31.0–v1.31.5
  • kubelet v1.30.0–v1.30.9

The ContainerCheckpoint feature gate is disabled by default in kubelet versions from v1.25 to v1.29, so the vulnerability will not be activated.

This vulnerability can affect Kubernetes clusters that have the kubelet read-only HTTP port enabled and use a container runtime supporting container checkpointing, such as containerd v2.0 and later or Docker v1.13 and later with Checkpoint/Restore In Userspace (CRIU) enabled.

The containerd versions on CCE nodes are v1.6 and v1.7, Docker version is v18.09, and CRIU is disabled by default, so the vulnerability will not be triggered.

Identification Method

If the kubelet HTTP read-only port receives a large number of requests for the checkpoint API or if there are numerous checkpoint files in the /var/lib/kubelet/checkpoints directory (default setting) on a node, an attacker may be exploiting this vulnerability to launch a DoS attack.

Solution

Do not enable criu. The container runtimes of Huawei Cloud CCE nodes do not have CRIU enabled, so this vulnerability will not be activated by default. This issue will be resolved in the new CCE version. Keep an eye out for Patch Versions.