Kubernetes NS Deletion Bypass: Policies Deleted Before Pods
CVE-2024-7598 Published on March 20, 2025
Network restriction bypass via race condition during namespace termination
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
Vulnerability Analysis
Weakness Type
What is a Race Condition Vulnerability?
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CVE-2024-7598 has been classified to as a Race Condition vulnerability or weakness.
Products Associated with CVE-2024-7598
Want to know whenever a new CVE is published for Kubernetes? stack.watch will email you.
Affected Versions
Kubernetes kube-apiserver:- Version 1.3.0 is affected.
- Before 1.3.0 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.