SB2026011803 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak
Published: January 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2025-47290)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition while unpacking an image during an image pull. A remote attacker can trick the victim into using a specially crafted image and perform arbitrary modifications of the host file system, leading to its compromise.
2) Improper Preservation of Permissions (CVE-ID: CVE-2025-47291)
CWE-ID: CWE-281 - Improper preservation of permissions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to the CRI implementation does not put usernamespaced containers under the Kubernetes' cgroup hierarchy, which causes Kubernetes limits not to be honored. A local user or malicious application inside the container can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.