VYPR
Get started
← All advisories
Medium severityOSV Advisory· Published Sep 23, 2025· Updated Apr 15, 2026

CVE-2025-58354

CVE-2025-58354

Description

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.

Affected products

1

Patches

2
c2b06504916c

release: Bump version to 3.21.0

https://github.com/kata-containers/kata-containersstevenhorsmanSep 23, 2025via osv
commit
2 files changed · +3 3
  • tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml+2 2 modified
    @@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "3.20.0"
+version: "3.21.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.20.0"
+appVersion: "3.21.0"
  • VERSION+1 1 modified
    @@ -1 +1 @@
-3.20.0
+3.21.0
3e67f92e34be

Merge commit from fork

https://github.com/kata-containers/kata-containersSteve HorsmanSep 23, 2025via osv
commit
2 files changed · +13 3
  • src/agent/src/main.rs+12 2 modified
    @@ -30,6 +30,7 @@ use nix::unistd::{self, dup, sync, Pid};
 use std::env;
 use std::ffi::OsStr;
 use std::fs::{self, File};
+use std::io::ErrorKind;
 use std::os::unix::fs::{self as unixfs, FileTypeExt};
 use std::os::unix::io::AsRawFd;
 use std::path::Path;
@@ -465,8 +466,17 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
         _ => vec![],
     };
     for binary in binaries.iter() {
-        if !Path::new(binary).exists() {
-            warn!(logger, "{} not found", binary);
+        let exists = Path::new(binary).try_exists().unwrap_or_else(|error| {
+            match error.kind() {
+                ErrorKind::NotFound => {
+                    warn!(logger, "{} not found", binary);
+                    false
+                },
+                _ => panic!("Path existence check failed for '{}': {}", binary, error)
+            }
+        });
+
+        if !exists {
             return false;
         }
     }
  • tools/packaging/static-build/initramfs/init.sh+1 1 modified
    @@ -48,7 +48,7 @@ then
 		exit 1
 	fi
 
-	veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}"
+	veritysetup open --panic-on-corruption "${root_device}" root "${hash_device}" "${rootfs_hash}"
 	mount /dev/mapper/root /mnt
 else
 	echo "No LUKS device found"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.