Dstack-Capsule: Pod-Level Remote Attestation for Confidential Workloads on Kubernetes

The rise of LLM-as-a-Service and other confidential cloud workloads demands cryptographic proof that user data is processed in a trusted, untampered environment. Existing solutions, notably Confidential Containers CoCo, enforce a strict "one Pod per VM" model that attests only the Guest OS stack,...

SUSE CVE-2026-32768

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-32768

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-32768

CVE-2026-32768—Summary (Chall-Manager) : Chall-Manager (platform-agnostic) contained a miswritten NetworkPolicy prior to version 0.6.5, enabling a malicious actor to pivot from an instance to any Pod outside the origin namespace, creating a potential lateral movement risk. The issue is specifical...

PT-2026-25860

Name of the Vulnerable Software and Affected Versions Chall-Manager versions prior to 0.6.5 Description Chall-Manager is a platform-agnostic system designed to initiate challenges on demand. A misconfigured NetworkPolicy in versions prior to 0.6.5 allows a malicious actor to move laterally from o...

CVE-2025-53710

Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This issue resulted in bypass of access control due to the presence of a vulnerable endpoint in Foundry Container Service that executed...

Cri-o: pods are able to break out of resource confinement on cgroupv2

...