← back
CVE-2025-58354

Kata Containers coco-tdx malicious host can circumvent initdata verification

CVSS 6.9 MEDIUMEPSS 0.3%CWE-754
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Sep 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
kata-containers · kata-containers

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/kata-containers/kata-containers/commit/3e67f92e34be974e792c153add76e4e4baac9de0https://github.com/kata-containers/kata-containers/security/advisories/GHSA-989w-4xr2-ww9m