CVE-2024-12401
Description
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in cert-manager allows an attacker with write access to PEM data (e.g., in Secrets) to cause a denial of service via excessive CPU consumption in the controller pod.
Vulnerability
Overview
CVE-2024-12401 is a denial-of-service (DoS) vulnerability in the cert-manager package. The flaw arises from inefficient processing of PEM data that cert-manager reads from resources such as Secret objects. An attacker who can modify this PEM data can trigger excessive CPU consumption in the cert-manager controller pod, effectively creating a DoS condition [1][2].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must have the ability to modify PEM data that cert-manager reads. This typically requires write access to Secret resources or other data sources that cert-manager monitors. The attacker does not need network-level access to the controller pod itself; instead, they can leverage existing permissions within the Kubernetes cluster to alter the data. No authentication beyond standard Kubernetes RBAC is required, but the attacker must be able to create or update resources that cert-manager processes [1][2].
Impact
Successful exploitation leads to high CPU usage by the cert-manager controller pod, which can degrade or completely disrupt certificate management operations. This may prevent the issuance, renewal, or revocation of TLS certificates, impacting the security and availability of services that rely on cert-manager. The DoS condition is limited to the controller pod and does not directly affect other cluster components, but it can cause cascading failures if certificate operations are critical [1][2].
Mitigation
Red Hat has acknowledged this issue and recommends updating cert-manager to a patched version. As of the publication date, no workaround is documented. Users should review the advisory from Red Hat and apply the appropriate update to mitigate the risk [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cert-manager/cert-managerGo | < 1.12.14 | 1.12.14 |
github.com/cert-manager/cert-managerGo | >= 1.13.0-alpha.0, < 1.15.4 | 1.15.4 |
github.com/cert-manager/cert-managerGo | >= 1.16.0-alpha.0, < 1.16.2 | 1.16.2 |
Affected products
1- Range: >= 1.16.0-alpha.0, < 1.16.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-ghw8-3xqw-hhcjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-12401ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-12401nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/cert-manager/cert-manager/pull/7400nvdWEB
- github.com/cert-manager/cert-manager/pull/7401nvdWEB
- github.com/cert-manager/cert-manager/pull/7402nvdWEB
- github.com/cert-manager/cert-manager/pull/7403nvdWEB
- github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4nvdWEB
- go.dev/issue/50116nvdWEB
News mentions
0No linked articles in our index yet.