CVE-2025-4437
📋 TL;DR
This CVE describes a denial-of-service vulnerability in CRI-O where launching a container with a non-existent runAsUser causes CRI-O to read the entire /etc/passwd file into memory. If /etc/passwd is excessively large, this leads to high memory consumption that can crash applications and disrupt other pods on the same host. This affects Kubernetes clusters using CRI-O as their container runtime.
💻 Affected Systems
- CRI-O
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could craft containers with malicious /etc/passwd files to cause memory exhaustion, crashing CRI-O and disrupting all containers on the host, potentially affecting multiple services and pods.
Likely Case
Accidental or malicious creation of containers with large /etc/passwd files leads to memory pressure, causing individual container failures and potential pod evictions.
If Mitigated
With proper resource limits and monitoring, impact is limited to individual containers or pods rather than host-wide disruption.
🎯 Exploit Status
Exploitation requires ability to create containers with specific configurations and access to modify /etc/passwd within containers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisory for specific fixed versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-4437
Restart Required: No
Instructions:
1. Check Red Hat advisory for affected versions. 2. Update CRI-O to patched version. 3. Verify no containers are using vulnerable configurations.
🔧 Temporary Workarounds
Prevent non-existent user creation
allConfigure pod security policies or admission controllers to reject containers specifying non-existent users in securityContext.runAsUser
Limit /etc/passwd size
allImplement container image scanning to reject images with excessively large /etc/passwd files
🧯 If You Can't Patch
- Implement strict pod security policies to prevent containers from specifying non-existent users
- Monitor memory usage on nodes and set alerts for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check CRI-O version against Red Hat advisory and review container configurations for runAsUser settings with non-existent usersCheck Version:
crio --versionVerify Fix Applied:
Verify CRI-O version is updated to patched version and test container creation with non-existent users to ensure no memory spikes📡 Detection & Monitoring
Log Indicators:
- CRI-O logs showing user creation attempts
- Kernel OOM killer messages
- Container runtime memory usage spikes
Network Indicators:
- Unusual container creation patterns
SIEM Query:
source="crio" AND "runAsUser" AND "creating user" OR source="kernel" AND "Out of memory"