CVE-2024-11218
Published: 22 January 2025
Summary
CVE-2024-11218 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2024-11218 is a vulnerability affecting the `podman build` and `buildah` commands. It enables a container breakout through a race condition triggered by specifying the --jobs=2 option when building a malicious Containerfile. SELinux may provide partial mitigation, but the flaw still permits enumeration of files and directories on the host even when SELinux is enabled. Published on 2025-01-22, the vulnerability carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-269.
A local attacker with no privileges can exploit this issue by tricking a user into executing `podman build` or `buildah` on a crafted Containerfile with the --jobs=2 flag, requiring user interaction. Successful exploitation leads to a container breakout with high-impact consequences across confidentiality, integrity, and availability, including the ability to enumerate host files and directories despite SELinux protections.
Red Hat has issued patches via multiple errata addressing this vulnerability, including RHSA-2025:0830, RHSA-2025:0878, RHSA-2025:0922, RHSA-2025:0923, and RHSA-2025:1186. Security practitioners should review and apply these updates to affected systems running vulnerable versions of podman or buildah.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0135
Vulnerability details
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows…
more
the enumeration of files and directories on the host.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct container escape via race condition in build tools enables host access and file enumeration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the race condition vulnerability in podman build and buildah by applying vendor-issued patches such as RHSA-2025 errata.
Enforces process isolation for containers to mitigate breakout attempts triggered by the race condition during image builds.
Limits podman and buildah to least functionality by disabling unnecessary parallel job features like --jobs=2 that trigger the race condition.