[CVE-2025-23266] False positive on RHCOS

[dark-vex]

IDs

CVE-2025-23266

Description

Trivy does report the package toolbox vulnerable to CVE-2025-23266 on OCP/RHCOS

According to RHEL advisory and vex feed only RHEL 9/10 and RHEL AI are vulnerable.

Reproduction Steps

You can reproduce it by pulling the image used to build RHCOS (instead of having an OCP cluster)
1. Have an OCP pull secret for quay.io
2. Pull the image `quay.io/openshift-release-dev/ocp-v4.0-art-dev:4.19-9.6-202510140714-node-image`
3. Scan it with trivy

├─────────────────────────────┼────────────────┼──────────┼─────────────────────┼───────────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ toolbox                     │ CVE-2025-23266 │ HIGH     │ fixed               │ 0.1.2-1.rhaos4.19.el9         │ 0.2-1.el9_6           │ nvidia-container-toolkit: Privilege Escalation via Hook      │
│                             │                │          │                     │                               │                       │ Initialization in NVIDIA Container Toolkit                   │
│                             │                │          │                     │                               │                       │ https://avd.aquasec.com/nvd/cve-2025-23266                   │
│                             ├────────────────┼──────────┼─────────────────────┤                               ├───────────────────────┼──────────────────────────────────────────────────────────────┤

:~# docker run -it --entrypoint /bin/bash --rm --name ocp-4-18 quay.io/openshift-release-dev/ocp-v4.0-art-dev:4.19-9.6-202510140714-node-image 
   
bash-5.1# cat /etc/os-release 
NAME="Red Hat Enterprise Linux CoreOS"
VERSION="9.6.20251013-1 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.6"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 9.6.20251013-1 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://issues.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.6"
OSTREE_VERSION='9.6.20251013-1'
VARIANT=CoreOS
VARIANT_ID=coreos
OPENSHIFT_VERSION="4.19"

### Target

Filesystem

### Scanner

Vulnerability

### Target OS

Red Hat Core OS

### Debug Output

```bash
-

Version

~# docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy --version
Version: 0.67.2

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @dark-vex

Thanks for your report!

Trivy finds RedHat vulnerabilities based on contentSets.
Can you share /usr/share/buildinfo/*.json contents set files to investigation?

Regards, Dmitriy

[dark-vex]

Hello Dmitriy!

apologies for the late response, below the contents set files, I took it from both the host and container image used by RedHat for build CoreOS:

 ➜ oc debug node/ocp-azure-fcg4b-worker-northeurope1-tzpj4
Starting pod/ocp-azure-fcg4b-worker-northeurope1-tzpj4-debug-5x5d9 ...
To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.

Pod IP: 10.0.128.6
If you don't see a command prompt, try pressing enter.
sh-5.1# chroot /host
sh-5.1# cat /usr/share/buildinfo/content_manifest.json
{"metadata": {"icm_version": 1, "icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json", "image_layer_index": 1}, "content_sets": ["rhel-9-for-x86_64-baseos-eus-rpms__9_DOT_6", "rhel-9-for-x86_64-appstream-eus-rpms__9_DOT_6"], "image_contents": []}

• Container

:~#  docker run -it --entrypoint /bin/bash --rm --name ocp-4-18 quay.io/openshift-release-dev/ocp-v4.0-art-dev:4.19-9.6-202510140714-node-image

bash-5.1# cat /usr/share/buildinfo/content_manifest.json
{"metadata": {"icm_version": 1, "icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json", "image_layer_index": 1}, "content_sets": ["rhel-9-for-x86_64-baseos-eus-rpms__9_DOT_6", "rhel-9-for-x86_64-appstream-eus-rpms__9_DOT_6"], "image_contents": []}

[DmitriyLewen]

Hello @dark-vex
Thanks for this information.

The rhel-9-for-x86_64-appstream-eus-rpms__9_DOT_6 content set was used for the installed packages. This content set corresponds to cpe:/a:redhat:rhel_eus:9.6::appstream -
https://github.com/aquasecurity/vuln-list-redhat/blob/d001e394187cba3e71c6ae5f8fef51025b59fa20/cpe/repository-to-cpe.json#L32437-L32439

In RHSA‑2025:13673, this CPE is marked as vulnerable - https://github.com/aquasecurity/vuln-list-redhat/blob/d001e394187cba3e71c6ae5f8fef51025b59fa20/oval/9/rhel-9.6-eus/definitions/2025/RHSA-2025%3A13673.json#L56