CVE-2025-4437 is a vulnerability identified in the CRI-O container runtime component used by Red Hat OpenShift Container Platform 4. The issue arises when a container is launched with the securityContext.runAsUser field specifying a user ID that does not exist inside the container's user database. In response, CRI-O attempts to create the user by reading the container's entire /etc/passwd file into memory. If this file is unusually large, this operation can cause excessive memory consumption on the host system. Such memory exhaustion can lead to out-of-memory (OOM) conditions, causing the kernel or container runtime to kill processes, including critical applications and other pods running on the same host node. This results in a denial-of-service (DoS) condition affecting availability. The vulnerability requires that an attacker have privileges to launch containers with specific user contexts and some user interaction to trigger the condition. The CVSS 3.1 base score is 5.7, reflecting medium severity with network attack vector, low attack complexity, privileges required, and user interaction needed. There is no impact on confidentiality or integrity, only availability. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights a resource allocation flaw where limits or throttling are not enforced when reading large user database files during container startup. This can be exploited to disrupt workloads in multi-tenant or shared cluster environments. Mitigation will likely involve vendor patches to limit memory usage or validate /etc/passwd file size, as well as operational controls to prevent excessively large passwd files inside containers.

The primary impact of CVE-2025-4437 is denial-of-service through resource exhaustion on hosts running Red Hat OpenShift Container Platform 4 with CRI-O. Excessive memory consumption can cause the kernel or container runtime to kill processes, disrupting not only the targeted container but also other pods and services sharing the same node. This can degrade cluster availability and reliability, potentially affecting critical workloads and business operations. In multi-tenant environments, an attacker with container launch privileges could intentionally trigger this condition to disrupt other tenants. While confidentiality and integrity are not affected, the availability impact can be significant, especially in production environments with high workload density. The requirement for privileges and user interaction limits the attack surface but does not eliminate risk in environments where users can deploy containers with custom security contexts. Organizations relying on OpenShift 4 for container orchestration should consider this vulnerability a moderate operational risk that could lead to service outages and increased operational overhead for remediation and recovery.

To mitigate CVE-2025-4437, organizations should take the following specific actions: 1) Monitor and audit container images and runtime environments to ensure /etc/passwd files are of reasonable size and do not contain excessive entries that could trigger high memory usage. 2) Implement strict admission controls and policies to restrict the ability of users to launch containers with arbitrary or non-existent runAsUser values, limiting privilege escalation or misuse. 3) Apply any vendor-provided patches or updates from Red Hat addressing this vulnerability as soon as they become available. 4) Use resource quotas and limits at the Kubernetes/OpenShift level to constrain memory usage per pod and node, reducing the impact of memory exhaustion events. 5) Employ runtime monitoring and alerting to detect unusual memory consumption patterns on nodes hosting OpenShift workloads. 6) Consider isolating critical workloads on dedicated nodes to minimize collateral impact from DoS caused by other containers. 7) Educate developers and operators about the risks of specifying non-existent users in security contexts and enforce best practices for container user management. These measures combined will reduce the likelihood and impact of exploitation beyond generic advice.