CVE-2025-6032: 
Podman vulnerability analysis and mitigation

A security vulnerability (CVE-2025-6032) was discovered in Podman, affecting versions 4.8.0 and later. The vulnerability was disclosed on June 24, 2025, and involves the podman machine init command failing to verify TLS certificates when downloading VM images from an OCI registry. This functionality became the default method for pulling images in version 5.0.0 (Wiz, Red Hat Bugzilla).

The vulnerability stems from improper certificate validation (CWE-295) in the podman machine init command. The specific issue occurs during the VM image download process from OCI registries, where the system fails to properly verify TLS certificates. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability enables potential Man-in-the-Middle (MITM) attacks during the VM image download process. This could allow attackers with access to the network path between the registry and client to intercept and potentially manipulate the downloaded VM images, compromising the integrity and security of the container environment (Red Hat Bugzilla).

Red Hat has released security updates to address this vulnerability in OpenShift Container Platform versions 4.16, 4.18, and 4.19. Users are advised to upgrade to these updated packages when they are available in the appropriate release channel (RHSA-2025:9726, RHSA-2025:9751, RHSA-2025:9766).