CVE-2024-9676
📋 TL;DR
A symlink traversal vulnerability in the containers/storage library used by Podman, Buildah, and CRI-O allows malicious container images to cause denial of service via OOM kill. Attackers can exploit this by creating a symlink from /etc/passwd inside the container to an arbitrary host file, causing the system to hang and potentially crash. This affects systems running these container tools with automatically assigned user namespaces.
💻 Affected Systems
- Podman
- Buildah
- CRI-O
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Openshift Container Platform For Arm64 by Redhat
View all CVEs affecting Openshift Container Platform For Arm64 →
Openshift Container Platform For Arm64 by Redhat
View all CVEs affecting Openshift Container Platform For Arm64 →
Openshift Container Platform For Arm64 by Redhat
View all CVEs affecting Openshift Container Platform For Arm64 →
Openshift Container Platform For Arm64 by Redhat
View all CVEs affecting Openshift Container Platform For Arm64 →
Openshift Container Platform For Arm64 by Redhat
View all CVEs affecting Openshift Container Platform For Arm64 →
Openshift Container Platform For Ibm Z by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Z →
Openshift Container Platform For Ibm Z by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Z →
Openshift Container Platform For Ibm Z by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Z →
Openshift Container Platform For Ibm Z by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Z →
Openshift Container Platform For Ibm Z by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Z →
Openshift Container Platform For Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Linuxone →
Openshift Container Platform For Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Linuxone →
Openshift Container Platform For Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Linuxone →
Openshift Container Platform For Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Linuxone →
Openshift Container Platform For Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Linuxone →
Openshift Container Platform For Power by Redhat
View all CVEs affecting Openshift Container Platform For Power →
Openshift Container Platform For Power by Redhat
View all CVEs affecting Openshift Container Platform For Power →
Openshift Container Platform For Power by Redhat
View all CVEs affecting Openshift Container Platform For Power →
⚠️ Risk & Real-World Impact
Worst Case
Complete system denial of service via OOM kill, potentially crashing the host system and disrupting all containerized workloads.
Likely Case
Container runtime hangs and becomes unresponsive, requiring manual intervention to restart services and affected containers.
If Mitigated
Minimal impact with proper patching and security controls; isolated container failures without host system compromise.
🎯 Exploit Status
Requires ability to create and run malicious container images with specific symlink configurations. Not trivial but achievable by skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for version numbers
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:10289
Restart Required: Yes
Instructions:
1. Update containers/storage library to patched version. 2. Update affected container tools (Podman, Buildah, CRI-O) to latest versions. 3. Restart container services and affected containers.
🔧 Temporary Workarounds
Disable automatic user namespaces
linuxAvoid using --userns=auto flag when running containers
podman run --userns=keep-id ...
podman run --userns=host ...
Use podman machine for rootless containers
linuxRun containers in isolated VM environments
podman machine init
podman machine start
🧯 If You Can't Patch
- Avoid pulling container images from untrusted sources
- Implement strict image signing and verification policies
🔍 How to Verify
Check if Vulnerable:
Check if using --userns=auto flag and verify containers/storage library version against patched versions in Red Hat advisoriesCheck Version:
rpm -q containers-storage or podman versionVerify Fix Applied:
Verify containers/storage library is updated to patched version and test container runs without hanging📡 Detection & Monitoring
Log Indicators:
- Container runtime hangs
- OOM kill events in system logs
- High memory usage by container processes
Network Indicators:
- Unusual container image pulls from untrusted sources
SIEM Query:
search 'OOM kill' AND 'container' OR 'podman' OR 'crio' in system logs🔗 References
- https://access.redhat.com/errata/RHSA-2024:10289
- https://access.redhat.com/errata/RHSA-2024:8418
- https://access.redhat.com/errata/RHSA-2024:8428
- https://access.redhat.com/errata/RHSA-2024:8437
- https://access.redhat.com/errata/RHSA-2024:8686
- https://access.redhat.com/errata/RHSA-2024:8690
- https://access.redhat.com/errata/RHSA-2024:8694
- https://access.redhat.com/errata/RHSA-2024:8700
- https://access.redhat.com/errata/RHSA-2024:8984
- https://access.redhat.com/errata/RHSA-2024:9051
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://access.redhat.com/errata/RHSA-2024:9926
- https://access.redhat.com/errata/RHSA-2025:0876
- https://access.redhat.com/errata/RHSA-2025:2454
- https://access.redhat.com/errata/RHSA-2025:2710
- https://access.redhat.com/errata/RHSA-2025:3301
- https://access.redhat.com/security/cve/CVE-2024-9676
- https://bugzilla.redhat.com/show_bug.cgi?id=2317467
- https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
