VYPR
← All advisories
High severityOSV Advisory· Published Aug 2, 2024· Updated Nov 14, 2025

Podman: kernel: containers in shared ipc namespace are vulnerable to denial of service attack

CVE-2024-3056

Description

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as podman run --restart=always, this can result in a memory-based denial of service of the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Podman containers sharing IPC namespace can be exploited to exhaust memory via repeated creation of IPC resources, leading to denial of service.

Vulnerability

A flaw in Podman allows a malicious container sharing an IPC namespace with other containers to create a large number of IPC resources in /dev/shm, exhausting memory until the container is OOM-killed. The IPC resources persist because they are tied to the IPC namespace, which remains open as long as any container using it is running. When the malicious container restarts (automatically or by attacker control), it repeats the process, accumulating memory consumption over time [1][4].

Exploitation

An attacker must have the ability to run a container with shared IPC (e.g., --ipc=shareable or pod-based setups) and configure it to restart automatically (e.g., --restart=always). The malicious container repeatedly creates IPC resources until OOM, then restarts, each cycle leaking memory that is not freed because the cgroup is removed but the IPC resources remain accounted to the namespace [3][4].

Impact

This can lead to a memory-based denial of service on the host system, potentially affecting all containers and services. The attack requires no special privileges beyond container runtime access and can persist indefinitely if the malicious container is set to always restart [1][3].

Mitigation

As of the report, no patch is available for affected versions (Podman 5.0.0-dev and earlier). Users should avoid sharing IPC namespaces between untrusted containers, implement memory limits via cgroups, and consider using --restart=on-failure instead of --restart=always to prevent automatic restarts [4].

References
  1. cve-details
  2. NVD - CVE-2024-3056
  3. containers in shared IPC namespace are vulnerable to denial of service attack

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/containers/podman/v5Go
<= 5.2.0
github.com/containers/podmanGo
<= 5.2.0
github.com/containers/podman/v2Go
<= 5.2.0
github.com/containers/podman/v3Go
<= 5.2.0
github.com/containers/podman/v4Go
<= 5.2.0

Affected products

10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.