CVE Alert: CVE-2025-9566 – Red Hat – Red Hat Enterprise Linux 10
CVE-2025-9566
There’s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
AI Summary Analysis
Risk verdict
High risk of remote, low-privilege exploitation that could overwrite host files via the podman kube play workflow, though exploitation is not indicated as active by SSVC/ADP at present.
Why this matters
Attackers could impact host integrity and availability by altering critical files, potentially affecting clusters using Podman/OpenShift. Realistic goals include temporary or persistent disruption of workloads, or footholds that leverage manipulated host files in container operations.
Most likely attack path
An adversary delivers or crafts a Kubernetes YAML (potentially via untrusted sources). They trigger podman kube play to mount a Secret or ConfigMap volume that contains a symlink to a host path, enabling targeted host-file overwrites. The flaw is network-exploitable with low privileges and no user interaction required; normal scope remains unchanged.
Who is most exposed
Environments running Podman on Red Hat Enterprise Linux 8–10 and OpenShift 4, particularly where YAML manifests or CI/CD pipelines supply manifests from developers or external sources.
Detection ideas
- Alerts on podman kube play invocations with manifests containing host-path symlinks in volume mounts.
- Monitor host file systems for unexpected overwrites or rapid symlink-target changes to host paths.
- Review Podman logs for kube play, especially mounts involving Secret/ConfigMap volumes.
- Alert on creation or expansion of symbolic links that point outside standard container directories.
- Integrity monitoring for Secrets/ConfigMaps mounted as volumes.
Mitigation and prioritisation
- Patch Podman to the fixed release (v5.6.1+ where available) and verify patch applicability across RHEL8/9/10 and OpenShift 4.
- Do not run kube play with untrusted Kubernetes YAML; validate content before execution.
- Enforce strict YAML provenance, RBAC, and least-privilege for Podman/kube play; apply AppArmor/SELinux controls where feasible.
- Restrict host-path access and review volume mount configurations in manifests.
- Plan remediation within the next maintenance window; establish monitoring to catch post-patch anomalous host-file activity. If EPSS or KEV indicators become positive, elevate the priority accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
