CVE-2025-0426: 
CBL Mariner vulnerability analysis and mitigation

A security vulnerability (CVE-2025-0426) was discovered in Kubernetes affecting the kubelet component. The issue was disclosed on February 13, 2025, where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint could cause a Node Denial of Service by filling the Node's disk. The vulnerability affects multiple versions of kubelet, including v1.32.0-1.32.1, v1.31.0-1.31.5, and v1.30.0-1.30.9 (Kubernetes Issue, OSS Security).

The vulnerability has been assigned a CVSS v3.1 score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically affects clusters with the kubelet read-only HTTP port enabled and using container runtimes that support the container checkpointing feature, such as CRI-O v1.25.0+ (with enablecriusupport set to true) or containerd v2.0+ with criu installed (Kubernetes Issue).

When exploited, this vulnerability can lead to a Node Denial of Service condition by filling up the Node's disk space through excessive checkpoint requests. The impact is particularly significant for clusters with exposed kubelet read-only endpoints and enabled container checkpointing features (Kubernetes Security Announce).

Several mitigation options are available: 1) Upgrade to fixed versions (kubelet v1.32.2, v1.31.6, v1.30.10, or v1.29.14), 2) Set the ContainerCheckpoint feature gate to false in kubelet configuration, 3) Disable the kubelet read-only port, or 4) Limit access to the kubelet API. The fixed versions enforce authentication for the kubelet Checkpoint API (Kubernetes Issue, OSS Security).

The vulnerability was reported and fixed by Tim Allclair (@tallclair) from Google, with coordination from the Kubernetes Security Response Committee including Sascha Grunert, Craig Ingram, and Jordan Liggitt (Kubernetes Issue).