CVE-2024-8676

Cri-o: checkpoint restore can be triggered from different namespaces

Description

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Remediation

Workaround:

  • Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Category

7.4
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.11%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat OpenShift Container Platform 4.15
Affected: Red Hat Red Hat OpenShift Container Platform 4.16
Affected: Red Hat Red Hat OpenShift Container Platform 4.17
Affected: Red Hat Red Hat OpenShift Container Platform 4.18
Affected: Red Hat Red Hat OpenShift Container Platform 4.18
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat OpenShift Container Platform 3.11
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHBA-2024:10826 vendor advisory
https://access.redhat.com/errata/RHSA-2025:0648 vendor advisory
https://access.redhat.com/errata/RHSA-2025:1908 vendor advisory
https://access.redhat.com/errata/RHSA-2025:3297 vendor advisory
https://access.redhat.com/errata/RHSA-2025:4211 vendor advisory
https://access.redhat.com/security/cve/CVE-2024-8676 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2313842 issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-8676?
CVE-2024-8676 has been scored as a high severity vulnerability.
How to fix CVE-2024-8676?
As a workaround for remediating CVE-2024-8676: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Is CVE-2024-8676 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-8676 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-8676?
CVE-2024-8676 affects Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.16, Red Hat Red Hat OpenShift Container Platform 4.17, Red Hat Red Hat OpenShift Container Platform 4.18, Red Hat Red Hat OpenShift Container Platform 4.18, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat OpenShift Container Platform 3.11, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.