Moderate severityNVD Advisory· Published Jan 9, 2024· Updated Nov 20, 2025
Cri-o: pods are able to break out of resource confinement on cgroupv2
CVE-2023-6476
Description
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cri-o/cri-oGo | >= 1.29.0, < 1.29.1 | 1.29.1 |
github.com/cri-o/cri-oGo | >= 1.28.0, < 1.28.3 | 1.28.3 |
github.com/cri-o/cri-oGo | < 1.27.3 | 1.27.3 |
Affected products
4cpe:/a:redhat:openshift:3.11+ 2 more
- cpe:/a:redhat:openshift:3.11
- cpe:/a:redhat:openshift:4.13::el9range: 0:1.26.4-6.1.rhaos4.13.git9eb9cf3.el9
- cpe:/a:redhat:openshift:4.14::el9range: 0:1.27.2-7.rhaos4.14.git1cc7a64.el9
Patches
Vulnerability mechanics
References
10- access.redhat.com/errata/RHSA-2024:0195ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0207ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-p4rx-7wvg-fwrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6476ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6476ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/cri-o/cri-o/blob/main/pkg/config/workloads.goghsaWEB
- github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159eghsaWEB
- github.com/cri-o/cri-o/pull/4479ghsaWEB
- github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrcghsaWEB
News mentions
0No linked articles in our index yet.