GHSA-fcm2-6c3h-pg6j · Severity: high · Ecosystem: go — Node DOS by way of memory exhaustion through ExecSync request in CRI-O
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
Conclusion & alert: CVE-2022-1708 is rated High Exploit Risk (76.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.79%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +2.33% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.45% | 2.79% | +2.33% |
| 2 | 2026-04-14 | 0.56% | 0.45% | -0.11% |
| 3 | 2025-11-21 | — | 0.56% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.8 | 2.0 | HIGH |
|
10.0 | 6.9 | [email protected] |
GHSA-fcm2-6c3h-pg6j · Severity: high · Ecosystem: go — Node DOS by way of memory exhaustion through ExecSync request in CRI-O
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
high | CVE-2022-1708: 1 source package rows (cri-o); 5 state rows across 3 repos (3.21-community, 3.22-community, edge-community); fixed 3, open 2. | https://security.alpinelinux.org/vuln/CVE-2022-1708 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2022-1708 |
suse
|
medium | CVE-2022-1708 severity moderate: SUSE including 53 source package names (aardvark-dns-1.1.0-4.module+el8.7.0+16772+33343656, buildah-1.27.0-2.module+el8.7.0+16772+33343656, …), 80 product×package rows across 39 product lines (Container rancher/elemental-teal-rt/5.4, Container rancher/elemental-teal/5.4, … (39 product lines)): Fixed 80. | https://www.suse.com/security/cve/CVE-2022-1708/ |
ubuntu
|
medium | CVE-2022-1708 medium priority: Ubuntu including 1 source packages (cri-o), 5 status rows across 5 suites (focal, jammy, noble, oracular, upstream): DNE 4, needs-triage 1. | https://ubuntu.com/security/CVE-2022-1708 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| kubernetes | cri-o | < 1.19.7 | cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:* |
| kubernetes | cri-o | >= 1.20.0, < 1.20.8 | cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:* |
| kubernetes | cri-o | >= 1.21.0, < 1.21.8 | cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:* |
| kubernetes | cri-o | >= 1.22.0, < 1.22.5 | cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:* |
| kubernetes | cri-o | >= 1.23.0, < 1.23.3 | cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:* |
| kubernetes | cri-o | 1.24.0 | cpe:2.3:a:kubernetes:cri-o:1.24.0:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 3.11 | cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 4.0 | cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 4.9 | cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 4.10 | cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 7.0 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 9.0 | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | Issue Tracking Third Party Advisory |
| https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544 | Patch |
| https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j | Exploit Third Party Advisory |