Security update for podman SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20305-1 Final 1 1 2026-03-03T16:13:34Z current 2026-03-03T16:13:34Z 2026-03-03T16:13:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for podman This update for podman fixes the following issues: Changes in podman: - Add symlink to catatonit in /usr/libexec/podman (bsc#1248988) - CVE-2025-47914: Fixed golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read (bsc#1253993) - CVE-2025-47913: Fixed golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253542): - CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed runc: Container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376): - CVE-2025-9566: Fixed that podman kube play command may overwrite host files (bsc#1249154): The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-343 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248988 SUSE Bug 1248988 https://bugzilla.suse.com/1249154 SUSE Bug 1249154 https://bugzilla.suse.com/1252376 SUSE Bug 1252376 https://bugzilla.suse.com/1253542 SUSE Bug 1253542 https://bugzilla.suse.com/1253993 SUSE Bug 1253993 https://www.suse.com/security/cve/CVE-2025-22869/ SUSE CVE CVE-2025-22869 page https://www.suse.com/security/cve/CVE-2025-31133/ SUSE CVE CVE-2025-31133 page https://www.suse.com/security/cve/CVE-2025-47913/ SUSE CVE CVE-2025-47913 page https://www.suse.com/security/cve/CVE-2025-47914/ SUSE CVE CVE-2025-47914 page https://www.suse.com/security/cve/CVE-2025-52565/ SUSE CVE CVE-2025-52565 page https://www.suse.com/security/cve/CVE-2025-52881/ SUSE CVE CVE-2025-52881 page https://www.suse.com/security/cve/CVE-2025-6032/ SUSE CVE CVE-2025-6032 page https://www.suse.com/security/cve/CVE-2025-9566/ SUSE CVE CVE-2025-9566 page openSUSE Leap 16.0 podman-5.4.2-160000.4.1 podman-docker-5.4.2-160000.4.1 podman-remote-5.4.2-160000.4.1 podmansh-5.4.2-160000.4.1 podman-5.4.2-160000.4.1 as a component of openSUSE Leap 16.0 podman-docker-5.4.2-160000.4.1 as a component of openSUSE Leap 16.0 podman-remote-5.4.2-160000.4.1 as a component of openSUSE Leap 16.0 podmansh-5.4.2-160000.4.1 as a component of openSUSE Leap 16.0 SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22869.html CVE-2025-22869 https://bugzilla.suse.com/1239322 SUSE Bug 1239322 runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. CVE-2025-31133 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-31133.html CVE-2025-31133 https://bugzilla.suse.com/1252232 SUSE Bug 1252232 https://bugzilla.suse.com/1255063 SUSE Bug 1255063 SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. CVE-2025-47913 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47913.html CVE-2025-47913 https://bugzilla.suse.com/1253506 SUSE Bug 1253506 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. CVE-2025-47914 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47914.html CVE-2025-47914 https://bugzilla.suse.com/1253967 SUSE Bug 1253967 runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. CVE-2025-52565 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52565.html CVE-2025-52565 https://bugzilla.suse.com/1252232 SUSE Bug 1252232 https://bugzilla.suse.com/1255063 SUSE Bug 1255063 runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3. CVE-2025-52881 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52881.html CVE-2025-52881 https://bugzilla.suse.com/1252232 SUSE Bug 1252232 https://bugzilla.suse.com/1255063 SUSE Bug 1255063 A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. CVE-2025-6032 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6032.html CVE-2025-6032 https://bugzilla.suse.com/1245320 SUSE Bug 1245320 There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1 CVE-2025-9566 openSUSE Leap 16.0:podman-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-docker-5.4.2-160000.4.1 openSUSE Leap 16.0:podman-remote-5.4.2-160000.4.1 openSUSE Leap 16.0:podmansh-5.4.2-160000.4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-9566.html CVE-2025-9566 https://bugzilla.suse.com/1249154 SUSE Bug 1249154