2375084 – (CVE-2025-4437) CVE-2025-4437 cri-o: Large /etc/passwd file may lead to Denial of Service

Bug 2375084 (CVE-2025-4437) - CVE-2025-4437 cri-o: Large /etc/passwd file may lead to Denial of Service

Summary: CVE-2025-4437 cri-o: Large /etc/passwd file may lead to Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2025-4437
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2375086 2375087 2375088 2375089 2375090 2375091 2375092 2375093 2375094 2375095 2375096
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-26 22:20 UTC by OSIDB Bzimport
Modified:	2025-06-26 22:28 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-26 22:20:38 UTC

When running a container using the `securityContext.runAsUser` setting to specify which user the container should use to be ran, if the requested user is not present in the '/etc/passwd' file in the container image, cri-o tries to create the new user information. For that cri-o reads the passwd file into the memory all at once using os.ReadFile() function, if the read passwd file is too big it can lead to increased memory consumption, eventually resulting in a Denial of Service.

Note You need to log in before you can comment on or make changes to this bug.