Bug 2393152 (CVE-2025-9566)

Summary: CVE-2025-9566 podman: Podman kube play command may overwrite host files
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: sdawley
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2393153, 2393154, 2393459    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-04 15:48:05 UTC 
The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host but the attacker only controls the target path not the contents that will be written to file. The contents are defined in the yaml file by the end user.
Comment 1 errata-xmlrpc 2025-09-16 02:18:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15901 https://access.redhat.com/errata/RHSA-2025:15901
Comment 2 errata-xmlrpc 2025-09-16 03:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15900 https://access.redhat.com/errata/RHSA-2025:15900
Comment 3 errata-xmlrpc 2025-09-16 05:49:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15904 https://access.redhat.com/errata/RHSA-2025:15904
Comment 4 errata-xmlrpc 2025-09-23 14:03:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16480 https://access.redhat.com/errata/RHSA-2025:16480
Comment 5 errata-xmlrpc 2025-09-23 15:35:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16481 https://access.redhat.com/errata/RHSA-2025:16481
Comment 6 errata-xmlrpc 2025-09-23 15:35:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:16482 https://access.redhat.com/errata/RHSA-2025:16482
Comment 7 errata-xmlrpc 2025-09-23 16:44:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16488 https://access.redhat.com/errata/RHSA-2025:16488
Comment 8 errata-xmlrpc 2025-09-23 18:27:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:16515 https://access.redhat.com/errata/RHSA-2025:16515
Comment 11 errata-xmlrpc 2025-10-22 05:08:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:18218 https://access.redhat.com/errata/RHSA-2025:18218
Comment 12 errata-xmlrpc 2025-10-22 06:19:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:18217 https://access.redhat.com/errata/RHSA-2025:18217
Comment 13 errata-xmlrpc 2025-10-23 17:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:18240 https://access.redhat.com/errata/RHSA-2025:18240
Comment 14 errata-xmlrpc 2025-10-29 09:25:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:19046 https://access.redhat.com/errata/RHSA-2025:19046
Comment 15 errata-xmlrpc 2025-10-30 05:35:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.20

Via RHSA-2025:19002 https://access.redhat.com/errata/RHSA-2025:19002
Comment 16 errata-xmlrpc 2025-10-30 05:40:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:19041 https://access.redhat.com/errata/RHSA-2025:19041
Comment 17 errata-xmlrpc 2025-11-11 13:48:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:20909 https://access.redhat.com/errata/RHSA-2025:20909
Comment 18 errata-xmlrpc 2025-11-11 19:09:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:20983 https://access.redhat.com/errata/RHSA-2025:20983
Comment 19 errata-xmlrpc 2025-11-13 09:44:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:19894 https://access.redhat.com/errata/RHSA-2025:19894