CVE-2025-0426
📋 TL;DR
This vulnerability in Kubernetes allows unauthenticated attackers to cause Node Denial of Service by sending numerous container checkpoint requests to the kubelet's read-only HTTP endpoint, filling the node's disk. It affects Kubernetes clusters with the vulnerable kubelet configuration. Attackers can disrupt node availability without authentication.
💻 Affected Systems
- Kubernetes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete node unavailability due to disk exhaustion, causing pod evictions and service disruption across the cluster.
Likely Case
Degraded node performance leading to pod failures and potential cascading cluster issues.
If Mitigated
Minimal impact if proper network segmentation and authentication controls are implemented.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kubernetes security advisory for specific patched versions
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/KiODfu8i6w8
Restart Required: Yes
Instructions:
1. Update Kubernetes to the patched version. 2. Restart kubelet service on all nodes. 3. Verify the fix by checking kubelet version and testing endpoint access.
🔧 Temporary Workarounds
Disable kubelet read-only HTTP endpoint
linuxDisable the vulnerable unauthenticated endpoint to prevent exploitation
Edit kubelet config: --read-only-port=0
Restart kubelet: systemctl restart kubelet
Network segmentation
linuxRestrict access to kubelet read-only port (default 10255)
iptables -A INPUT -p tcp --dport 10255 -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port port="10255" protocol="tcp" accept'
🧯 If You Can't Patch
- Implement strict network controls to block external access to kubelet read-only port (10255)
- Monitor disk usage on nodes and set up alerts for rapid disk consumption
🔍 How to Verify
Check if Vulnerable:
Check if kubelet read-only port (default 10255) is accessible: curl -v http://node-ip:10255/checkpoint/Check Version:
kubelet --versionVerify Fix Applied:
Verify kubelet version is patched and read-only endpoint returns appropriate error or is inaccessible📡 Detection & Monitoring
Log Indicators:
- High frequency of checkpoint requests in kubelet logs
- Rapid disk usage increase on nodes
- Pod eviction events due to disk pressure
Network Indicators:
- Multiple HTTP requests to port 10255/checkpoint/ from single source
- Unusual traffic patterns to kubelet endpoints
SIEM Query:
source="kubelet" AND "checkpoint" | stats count by src_ip