podman: Podman machine init TLS certificate verification bypass (CVE-2025-6032) #shorts

Summary

Welcome to PodSec Weekly. Today we’re discussing CVE-2025-6032, a certificate validation flaw in Podman that can enable man-in-the-middle attacks when initializing container VMs.

Product details

The issue affects Podman’s machine init command across multiple Linux distributions, including SUSE and Red Hat variants. SUSE has released an important security update addressing this flaw in its podman package.

Vulnerability type summary

CVE-2025-6032 is classified as Improper Certificate Validation. It occurs when Podman fails to verify TLS certificates while downloading VM images from an OCI registry.

Details of the vulnerability

When you run podman machine init to pull a virtual machine image, Podman does not check the authenticity of the TLS certificate presented by the registry. An attacker positioned between your host and the registry could intercept the download, serve a malicious image, and compromise your container environment. The defect stems from missing or bypassed certificate checks in the machine initialization code.

Conclusion

If you use Podman machine init, update to the patched version provided by SUSE (and other vendors) immediately. Verifying TLS certificates is critical to preventing MITM attacks. That’s all for today’s episode of PodSec Weekly—stay secure and see you next time.

Watch the full video on YouTube: CVE-2025-6032

Remediation and exploitation details

This chain involves the following actors

  • Network attacker: Performs man-in-the-middle interception on network traffic
  • Podman user: Invokes podman machine init to download virtual machine images

This following systems are involved

  • Podman (Container and virtual machine management): Downloads VM images via the machine init command
  • OCI registry (Hosts virtual machine images): Serves image data over Transport Layer Security

Attack entry point

  • Unverified TLS connection: podman machine init does not verify the certificate presented by the registry
  • Network path: Attacker inserts into the path between Podman and the registry

Remediation actions

Podman user
Upgrade to Podman version that enforces certificate validation
Podman
System administrator
Apply the SUSE security update addressing CVE-2025-6032
Operating system packages
Operations team
Configure strict certificate checks or pin known registry certificates
Podman configuration

Exploitation actions

Man-in-the-middle interception

Network attacker
Position proxy on the network path between the user and the image registry
Network infrastructure
Examples:
  • Use ARP poisoning or DNS spoofing to redirect traffic through attacker-controlled proxy

Certificate forgery

Network attacker
Present a self-signed or invalid certificate to Podman
Podman TLS handshake
Examples:
  • Generate a certificate with attacker-controlled private key and serve it in place of the registry certificate

Blind acceptance of forged certificate

Podman user
Run podman machine init to fetch images
Podman
Examples:
  • podman machine init --image ociregistry.local/myvm:latest

Binary tampering

Network attacker
Modify VM image layers in transit
OCI registry payload
Examples:
  • Inject backdoor binary or altered loader into the downloaded image stream

Execution of tampered code

Podman user
Trust and start the compromised VM image
Local virtual machine
Examples:
  • podman machine start, leading to execution of injected malware within the VM

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-6032
Description
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
Provider
redhat
CWE / problem types
Improper Certificate Validation
Affected Software Versions
Red Hat:Red Hat Enterprise Linux 10:[{'version': '6:5.4.0-12.el10_0', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 8:[{'version': '8100020250625105344.afee755d', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9:[{'version': '5:5.4.0-12.el9_6', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9.4 Extended Update Support:[{'version': '4:4.9.4-18.el9_4.2', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.16:[{'version': '4:4.9.4-14.rhaos4.16.el8', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.16:[{'version': '416.94.202507222002-0', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.17:[{'version': '5:5.2.2-8.rhaos4.17.el9', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.18:[{'version': '418.94.202507221927-0', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.18:[{'version': '5:5.2.2-9.rhaos4.18.el9', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.19:[{'version': '4.19.9.6.202507152218-0', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4.19:[{'version': '5:5.4.0-6.rhaos4.19.el9', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat OpenShift Container Platform 4:None
Date Published
2025-06-24T13:50:47.955Z
Last Updated
2025-07-30T22:14:47.716Z