Notice of Kubernetes Security Vulnerability (CVE-2025-0426)
CVE-2025-0426 is a DoS vulnerability found in Kubernetes, impacting the kubelet read-only HTTP port. By sending numerous checkpoint requests to the endpoint, an attacker can rapidly fill up the node's disk space, leading to a denial of service on the node.
Description
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Denial of service |
Medium |
2025-02-13 |
Impact
This vulnerability affects kubelet of the following versions:
- kubelet v1.32.0–v1.32.1
- kubelet v1.31.0–v1.31.5
- kubelet v1.30.0–v1.30.9
The ContainerCheckpoint feature gate is disabled by default in kubelet versions from v1.25 to v1.29, so the vulnerability will not be activated.
This vulnerability can affect Kubernetes clusters that have the kubelet read-only HTTP port enabled and use a container runtime supporting container checkpointing, such as containerd v2.0 and later or Docker v1.13 and later with Checkpoint/Restore In Userspace (CRIU) enabled.
The containerd versions on CCE nodes are v1.6 and v1.7, Docker version is v18.09, and CRIU is disabled by default, so the vulnerability will not be triggered.
Identification Method
If the kubelet HTTP read-only port receives a large number of requests for the checkpoint API or if there are numerous checkpoint files in the /var/lib/kubelet/checkpoints directory (default setting) on a node, an attacker may be exploiting this vulnerability to launch a DoS attack.
Solution
Do not enable criu. The container runtimes of Huawei Cloud CCE nodes do not have CRIU enabled, so this vulnerability will not be activated by default. This issue will be resolved in the new CCE version. Keep an eye out for Patch Versions.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot