High severity7.2NVD Advisory· Published Apr 26, 2024· Updated Apr 15, 2026
CVE-2024-3154
CVE-2024-3154
Description
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cri-o/cri-oGo | >= 1.29.0, < 1.29.4 | 1.29.4 |
github.com/cri-o/cri-oGo | >= 1.28.0, < 1.28.6 | 1.28.6 |
github.com/cri-o/cri-oGo | < 1.27.6 | 1.27.6 |
Patches
13db0871f1cf2Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-2cgq-h8xw-2v5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3154ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-3154nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5jnvdWEB
- github.com/opencontainers/runc/pull/4217nvdWEB
- github.com/opencontainers/runtime-spec/blob/main/features.mdnvdWEB
- access.redhat.com/errata/RHSA-2024:2669nvd
- access.redhat.com/errata/RHSA-2024:2672nvd
- access.redhat.com/errata/RHSA-2024:2784nvd
- access.redhat.com/errata/RHSA-2024:3496nvd
News mentions
0No linked articles in our index yet.