CVE-2024-7598 | Network restriction bypass via race condition during namespace termination

A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.

Published: 2025-03-20 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-7598 is rated Low Risk (12.7/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.01%). Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-7598

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-03-21 0.01%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-7598

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
3.1 3.1 LOW
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 1.6 1.4 [email protected]

Weakness enumeration for CVE-2024-7598

GitHub Security Advisory for CVE-2024-7598

GHSA-r56h-j38w-hrqq · Severity: low · Ecosystem: go — Kubernetes kube-apiserver Vulnerable to Race Condition

OS Trackers for CVE-2024-7598

vendor priority summary link
debian not yet assigned CVE-2024-7598 not yet assigned priority: Debian including 1 source packages (kubernetes), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2024-7598
redhat low https://access.redhat.com/security/cve/CVE-2024-7598
suse low CVE-2024-7598 severity low: SUSE including 74 source package names (cloud-init-25.1.3-slfo.1.1_1.1, cloud-init-config-suse-25.1.3-slfo.1.1_1.1, …), 244 product×package rows across 21 product lines (Image SLE-Micro, Image SLE-Micro-Azure, … (21 product lines)): Known Not Affected 230, Fixed 14. https://www.suse.com/security/cve/CVE-2024-7598/
ubuntu medium CVE-2024-7598 medium priority: Ubuntu including 1 source packages (kubernetes), 6 status rows across 6 suites (focal, jammy, noble, oracular, plucky, upstream): not-affected 3, DNE 1, ignored 1, needs-triage 1. https://ubuntu.com/security/CVE-2024-7598

Affected software / configurations for CVE-2024-7598

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2024-7598

cvelogic Threat Intelligence