SB2025071802 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.18

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025071802

SB2025071802 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.18

Published: July 18, 2025 Updated: August 22, 2025

Security Bulletin ID SB2025071802
Severity
High
Patch available
YES
Number of vulnerabilities 30
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 13% Low 77%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 30 secuirty vulnerabilities.


1) Protection mechanism failure (CVE-ID: CVE-2025-32462)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient implementation of security measures when running sudo with -h (--host) option. If the current configuration provides access to users based on the host they are allowed to execute commands, a local user can bypass such a restriction by providing the hostname via the "-h" option they are allowed to execute commands. The vulnerability affects systems that use a common sudoers file that is distributed to multiple machines or when LDAP-based sudoers (including SSSD) is used. 


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-22871)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when handling chunked data in net/http. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


3) Out-of-bounds read (CVE-ID: CVE-2022-49846)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the udf_find_entry() function in fs/udf/namei.c. A local user can perform a denial of service (DoS) attack.


4) Use of uninitialized resource (CVE-ID: CVE-2023-52477)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized BOS descriptors in drivers/usb/core/hub.c. A local user can perform a denial of service (DoS) attack.


5) Out-of-bounds read (CVE-ID: CVE-2023-52565)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the uvc_query_v4l2_menu() function in drivers/media/usb/uvc/uvc_ctrl.c. A local user can perform a denial of service (DoS) attack.


6) Improper locking (CVE-ID: CVE-2023-52595)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the rt2x00mac_bss_info_changed() function in drivers/net/wireless/ralink/rt2x00/rt2x00mac.c, within the rt2x00lib_disable_radio(), rt2x00lib_start() and rt2x00lib_stop() functions in drivers/net/wireless/ralink/rt2x00/rt2x00dev.c. A local user can perform a denial of service (DoS) attack.


7) Incorrect calculation (CVE-ID: CVE-2023-52781)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect calculation within the usb_get_bos_descriptor() function in drivers/usb/core/config.c. A local user can perform a denial of service (DoS) attack.


8) Buffer overflow (CVE-ID: CVE-2023-52834)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the atl1c_set_mac_addr(), atl1c_init_ring_ptrs(), atl1c_free_ring_resources(), atl1c_rx_checksum() and atl1c_alloc_rx_buffer() functions in drivers/net/ethernet/atheros/atl1c/atl1c_main.c. A local user can escalate privileges on the system.


9) Path traversal (CVE-ID: CVE-2024-12718)

The vulnerability allows a remote attacker to modify arbitrary files on the system.

The vulnerability exists due to input validation error in the tarfile module. A remote attacker can pass a specially crafted archive to the application and modify some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory.


10) Integer overflow (CVE-ID: CVE-2024-23337)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in src/jv.c. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and perform a denial of service (DoS) attack.


11) NULL pointer dereference (CVE-ID: CVE-2024-26717)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the i2c_hid_of_probe() function in drivers/hid/i2c-hid/i2c-hid-of.c. A local user can perform a denial of service (DoS) attack.


12) NULL pointer dereference (CVE-ID: CVE-2024-35790)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the hpd_show(), dp_altmode_probe(), dp_altmode_remove() and module_typec_altmode_driver() functions in drivers/usb/typec/altmodes/displayport.c. A local user can perform a denial of service (DoS) attack.


13) Resource management error (CVE-ID: CVE-2024-35807)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the EXT4_DESC_PER_BLOCK() function in fs/ext4/resize.c. A local user can perform a denial of service (DoS) attack.


14) Buffer overflow (CVE-ID: CVE-2024-35924)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the ucsi_read_message_in(), ucsi_read_error(), ucsi_send_command() and ucsi_register() functions in drivers/usb/typec/ucsi/ucsi.c. A local user can perform a denial of service (DoS) attack.


15) Resource management error (CVE-ID: CVE-2024-36006)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the mlxsw_sp_acl_tcam_vchunk_migrate_one() and mlxsw_sp_acl_tcam_vchunk_migrate_all() functions in drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c. A local user can perform a denial of service (DoS) attack.


16) Double Free (CVE-ID: CVE-2024-36940)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a double free error within the pinctrl_enable() function in drivers/pinctrl/core.c. A local user can perform a denial of service (DoS) attack.


17) Out-of-bounds read (CVE-ID: CVE-2024-39471)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the sdma_v4_0_process_trap_irq() function in drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c. A local user can perform a denial of service (DoS) attack.


18) Use-after-free (CVE-ID: CVE-2024-41092)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the i915_vma_revoke_fence() function in drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c. A local user can escalate privileges on the system.


19) Resource management error (CVE-ID: CVE-2024-41097)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the cxacru_bind() function in drivers/usb/atm/cxacru.c. A local user can perform a denial of service (DoS) attack.


20) Resource management error (CVE-ID: CVE-2024-43880)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the objagg_hints_obj_cmp() and objagg_hints_get() functions in lib/objagg.c, within the mlxsw_sp_acl_erp_delta_check() and mlxsw_sp_acl_erp_root_destroy() functions in drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c. A local user can perform a denial of service (DoS) attack.


21) Input validation error (CVE-ID: CVE-2024-46826)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the fs/binfmt_elf.c. A local user can perform a denial of service (DoS) attack.


22) Insecure temporary file (CVE-ID: CVE-2024-54661)

The vulnerability allows a local user to overwrite arbitrary files on the system.

The vulnerability exists due to usage of a predictable temporary file name in readline.sh. A local user can create a symbolic link from the temporary file to an arbitrary files on the system and overwrite it with the application's output, corrupting the file.


23) Out-of-bounds read (CVE-ID: CVE-2024-56614)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the xsk_map_delete_elem() function in net/xdp/xskmap.c. A local user can perform a denial of service (DoS) attack.


24) Link following (CVE-ID: CVE-2025-4138)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an insecure link following issue when extracting data from an archive in the tarfile module. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files outside the destination directory during extraction with filter="data"..


25) Link following (CVE-ID: CVE-2025-4330)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an insecure link following issue when extracting data from an archive in the tarfile module. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files outside the destination directory.


26) Expected behavior violation (CVE-ID: CVE-2025-4435)

The vulnerability allows a remote attacker to change expected behavior. 

The vulnerability exists due to an error when using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior. A remote attacker can force the application to extract files that were meant to be skipped. 


27) Path traversal (CVE-ID: CVE-2025-4517)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error in the tarfile module when extracting files from an archive with filter="data". A remote attacker can pass specially crafted archive to the application and write files to arbitrary locations on the system outside the extraction directory.


28) Improper access control (CVE-ID: CVE-2025-6020)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions within the pam_namespace module when handling user-controlled paths. A local user can use specially crafted symlinks and race conditions to execute arbitrary code as root. 


29) Use-after-free (CVE-ID: CVE-2025-22126)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the __mddev_put(), md_seq_show(), EXPORT_SYMBOL_GPL(), md_notify_reboot(), md_autostart_arrays() and md_exit() functions in drivers/md/md.c. A local user can escalate privileges on the system.


30) Heap-based buffer overflow (CVE-ID: CVE-2025-48060)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the jv_string_vfmt() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References