CVE-2025-58354
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kata_containers | kata_containers | 3.20.0 |
| kata_containers | kata_containers | 3.21.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In Kata Containers versions 3.20.0 and earlier, on TDX systems running confidential guests, a malicious host can bypass the verification of initialization data by selectively failing IO operations. This allows the attacker to run arbitrary workloads while still successfully attesting as if they were benign workloads.
How can this vulnerability impact me? :
This vulnerability allows a malicious host to execute arbitrary workloads within Kata Containers while impersonating trusted workloads. This could lead to unauthorized code execution and potential compromise of the system's integrity and security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Kata Containers to version 3.21.0 or later, as this version contains the patch that fixes the vulnerability allowing a malicious host to circumvent initdata verification on TDX systems.