CVE-2025-6032

Summary

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

Affected Software

VendorProductVersion RangeStatus
4.8.0 < 5.5.2affected
Red HatRed Hat Enterprise Linux 106:5.4.0-12.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 88100020250625105344.afee755d < *unaffected
Red HatRed Hat Enterprise Linux 95:5.4.0-12.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support4:4.9.4-18.el9_4.2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.164:4.9.4-14.rhaos4.16.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16416.94.202507222002-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.175:5.2.2-8.rhaos4.17.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202507132309-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.18418.94.202507221927-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.185:5.2.2-9.rhaos4.18.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.194.19.9.6.202507152218-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.195:5.4.0-6.rhaos4.19.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.204.20.9.6.202509251656-0 < *unaffected

Weaknesses

  • CWE-295: Improper Certificate Validation

Workarounds

Download the VM image manually with another tool that verifies the TLS certificate and then pass the local image as a file path to podman, for example:

podman machine init –image <local-image-path>

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References