VYPR
Moderate severityNVD Advisory· Published Jan 9, 2024· Updated Nov 20, 2025

Cri-o: pods are able to break out of resource confinement on cgroupv2

CVE-2023-6476

Description

A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/cri-o/cri-oGo
>= 1.29.0, < 1.29.11.29.1
github.com/cri-o/cri-oGo
>= 1.28.0, < 1.28.31.28.3
github.com/cri-o/cri-oGo
< 1.27.31.27.3

Affected products

4
  • cpe:/a:redhat:openshift:3.11+ 2 more
    • cpe:/a:redhat:openshift:3.11
    • cpe:/a:redhat:openshift:4.13::el9range: 0:1.26.4-6.1.rhaos4.13.git9eb9cf3.el9
    • cpe:/a:redhat:openshift:4.14::el9range: 0:1.27.2-7.rhaos4.14.git1cc7a64.el9
  • ghsa-coords
    Range: >= 1.29.0, < 1.29.1

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.