CVE-2025-58354 MEDIUM

CVE-2025-58354: Kata Containers coco-tdx malicious host can circumvent initdata verification

Vendor Kata-Containers
Product kata-containers
Weakness CWE-754
Published September 23, 2025
Last update September 24, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 24, 2025 Record updated