The Open Source Technology Improvement Fund is proud to share the results of our security audit of CRI-O. CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) that is OCI-compliant (-O) that provides the backend between OCI-format container images and the Kubernetes control plane. With the help of X41 D-Sec and the Cloud Native Computing Foundation (CNCF), CRI-O completed their second security audit with OSTIF.
Audit Process:
This security engagement took place in late fall of 2025, performed by an audit team from X41. By manually reviewing the source code from the CRI-O public repository, with additional support from static analysis tooling, the auditors were able to evaluate the security health of the project. In paying particular attention to package dependencies, the sandbox implementation, fuzzing integration, DoS vectors, and image verification processes, the auditors inspected the project for multiple security concerns relevant to the functionality of the project .
Audit Results:
- 2 Findings
- 2 Informational
- Further Security Work Recommendations
The auditor’s report describes the CRI-O code as “well-designed and effectively executed, striking a sound balance between minimalism and practical robustness.” There were two findings with security impact identified by this engagement, and while they are ranked to be Informational findings, the report urges robust and automated security best practices to help runtime and reliability.
Thank you to the individuals and groups that made this engagement possible:
- CRI-O maintainers and community, especially: Peter Hunt and Sascha Grunert
- X41 D-Sec, especially: Markus Vervier, Eric Sesterhenn, Alexander Schloegl, Christian Mayr, Hannes Moesl-Canaval, and Antonela Conti
- The CNCF
You can read the Audit Report HERE
You can read X41’s Blog HERE