Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    44 vulnerabilities found for containerd by containerd

    CVE-2026-53492 (GCVE-0-2026-53492)

    Vulnerability from nvd – Published: 2026-07-01 17:59 – Updated: 2026-07-01 17:59
    VLAI
    Title
    containerd CRI checkpoint restore CDI annotation smuggling
    Summary
    containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod\u0027s create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:59:12.552Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc"
            }
          ],
          "source": {
            "advisory": "GHSA-33vj-92qq-66hc",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI checkpoint restore CDI annotation smuggling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53492",
        "datePublished": "2026-07-01T17:59:12.552Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T17:59:12.552Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53489 (GCVE-0-2026-53489)

    Vulnerability from nvd – Published: 2026-07-01 18:10 – Updated: 2026-07-01 18:10
    VLAI
    Title
    containerd: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
    Summary
    containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T18:10:41.802Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388"
            }
          ],
          "source": {
            "advisory": "GHSA-rgh6-rfwx-v388",
            "discovery": "UNKNOWN"
          },
          "title": "containerd: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53489",
        "datePublished": "2026-07-01T18:10:41.802Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T18:10:41.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50195 (GCVE-0-2026-50195)

    Vulnerability from nvd – Published: 2026-07-01 17:50 – Updated: 2026-07-01 18:32
    VLAI
    Title
    containerd: CRI checkpoint import allows local image tag poisoning
    Summary
    containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T18:32:22.918998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T18:32:29.659Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image\u0027s configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node\u0027s local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker\u0027s malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod\u0027s identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:50:53.072Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574"
            }
          ],
          "source": {
            "advisory": "GHSA-cvxm-645q-p574",
            "discovery": "UNKNOWN"
          },
          "title": "containerd: CRI checkpoint import allows local image tag poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50195",
        "datePublished": "2026-07-01T17:50:53.072Z",
        "dateReserved": "2026-06-03T22:05:13.645Z",
        "dateUpdated": "2026-07-01T18:32:29.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47262 (GCVE-0-2026-47262)

    Vulnerability from nvd – Published: 2026-07-01 17:48 – Updated: 2026-07-01 18:34
    VLAI
    Title
    containerd image-triggered runtime DoS via unbounded group parsing
    Summary
    containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 1.7.0, < 1.7.33
    Affected: >= 2.0.0, < 2.0.10
    Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T18:33:54.105358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T18:34:06.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0, \u003c 1.7.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:48:43.205Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq"
            }
          ],
          "source": {
            "advisory": "GHSA-jpcc-p29g-p8mq",
            "discovery": "UNKNOWN"
          },
          "title": "containerd image-triggered runtime DoS via unbounded group parsing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47262",
        "datePublished": "2026-07-01T17:48:43.205Z",
        "dateReserved": "2026-05-18T23:03:37.229Z",
        "dateUpdated": "2026-07-01T18:34:06.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46680 (GCVE-0-2026-46680)

    Vulnerability from nvd – Published: 2026-07-01 17:40 – Updated: 2026-07-01 17:40
    VLAI
    Title
    containerd user ID handling bypass allows runAsNonRoot evasion
    Summary
    containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.32
    Affected: >= 2.0.4, < 2.0.9
    Affected: >= 2.0.10, < 2.2.4
    Affected: >= 2.2.5, < 2.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.32"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.4, \u003c 2.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.10, \u003c 2.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.5, \u003c 2.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:40:25.499Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w"
            }
          ],
          "source": {
            "advisory": "GHSA-fqw6-gf59-qr4w",
            "discovery": "UNKNOWN"
          },
          "title": "containerd user ID handling bypass allows runAsNonRoot evasion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46680",
        "datePublished": "2026-07-01T17:40:25.499Z",
        "dateReserved": "2026-05-15T21:46:51.547Z",
        "dateUpdated": "2026-07-01T17:40:25.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53488 (GCVE-0-2026-53488)

    Vulnerability from nvd – Published: 2026-07-01 00:11 – Updated: 2026-07-01 14:26
    VLAI
    Title
    containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
    Summary
    containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.33
    Affected: >= 2.0.0, < 2.0.10
    Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53488",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T13:34:04.424739Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:26:09.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T00:11:20.610Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"
            }
          ],
          "source": {
            "advisory": "GHSA-xhf5-7wjv-pqxp",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: \u2014 image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53488",
        "datePublished": "2026-07-01T00:11:20.610Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T14:26:09.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64329 (GCVE-0-2025-64329)

    Vulnerability from nvd – Published: 2025-11-07 04:15 – Updated: 2025-11-07 17:42
    VLAI
    Title
    containerd CRI server: Host memory exhaustion through Attach goroutine leak
    Summary
    containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.29
    Affected: < 2.0.7
    Affected: >= 2.1.0-beta.0, < 2.1.5
    Affected: >= 2.2.0-beta.0, < 2.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64329",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-07T17:41:50.476907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-07T17:42:07.929Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.29"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-07T04:15:09.381Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df"
            }
          ],
          "source": {
            "advisory": "GHSA-m6hq-p25p-ffr2",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI server: Host memory exhaustion through Attach goroutine leak"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64329",
        "datePublished": "2025-11-07T04:15:09.381Z",
        "dateReserved": "2025-10-30T17:40:52.028Z",
        "dateUpdated": "2025-11-07T17:42:07.929Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-25621 (GCVE-0-2024-25621)

    Vulnerability from nvd – Published: 2025-11-06 18:36 – Updated: 2025-11-06 19:35
    VLAI
    Title
    containerd affected by a local privilege escalation via wide permissions on CRI directory
    Summary
    containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-279 - Incorrect Execution-Assigned Permissions
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.29
    Affected: >= 2.0.0-beta.0, < 2.0.7
    Affected: >= 2.1.0-beta.0, < 2.1.5
    Affected: >= 2.2.0-beta.0, < 2.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25621",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-06T19:34:44.710425Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-06T19:35:13.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-beta.0, \u003c 2.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-279",
                  "description": "CWE-279: Incorrect Execution-Assigned Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-06T18:36:21.566Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5"
            },
            {
              "name": "https://github.com/containerd/containerd/blob/main/docs/rootless.md",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md"
            }
          ],
          "source": {
            "advisory": "GHSA-pwhc-rpq9-4c8w",
            "discovery": "UNKNOWN"
          },
          "title": "containerd affected by a local privilege escalation via wide permissions on CRI directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25621",
        "datePublished": "2025-11-06T18:36:21.566Z",
        "dateReserved": "2024-02-08T22:26:33.511Z",
        "dateUpdated": "2025-11-06T19:35:13.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47291 (GCVE-0-2025-47291)

    Vulnerability from nvd – Published: 2025-05-21 17:26 – Updated: 2025-05-21 19:19
    VLAI
    Title
    containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.
    Summary
    containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.0.1, < 2.0.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47291",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T19:19:32.387955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T19:19:39.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.1, \u003c 2.0.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. A bug was found in the containerd\u0027s CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn\u0027t put usernamespaced containers under the Kubernetes\u0027 cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266: Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T17:26:31.141Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff"
            }
          ],
          "source": {
            "advisory": "GHSA-cxfp-7pvr-95ff",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods."
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47291",
        "datePublished": "2025-05-21T17:26:31.141Z",
        "dateReserved": "2025-05-05T16:53:10.374Z",
        "dateUpdated": "2025-05-21T19:19:39.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47290 (GCVE-0-2025-47290)

    Vulnerability from nvd – Published: 2025-05-20 18:25 – Updated: 2025-05-20 18:44
    VLAI
    Title
    Containerd vulnerable to host filesystem access during image unpack
    Summary
    containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: = 2.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-20T18:43:21.823258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-20T18:44:19.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 2.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0.  Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-20T18:25:51.703Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v2.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v2.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-cm76-qm8v-3j95",
            "discovery": "UNKNOWN"
          },
          "title": "Containerd vulnerable to host filesystem access during image unpack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47290",
        "datePublished": "2025-05-20T18:25:51.703Z",
        "dateReserved": "2025-05-05T16:53:10.374Z",
        "dateUpdated": "2025-05-20T18:44:19.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40635 (GCVE-0-2024-40635)

    Vulnerability from nvd – Published: 2025-03-17 21:32 – Updated: 2025-05-04 22:02
    VLAI
    Title
    containerd has an integer overflow in User ID handling
    Summary
    containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.6.38
    Affected: >= 1.7.0-beta.0, < 1.7.27
    Affected: >= 2.0.0-beta.0, < 2.0.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-18T14:17:05.162920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-18T14:17:14.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-04T22:02:39.748Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.38"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c 1.7.27"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-beta.0, \u003c 2.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-17T21:32:37.894Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a"
            }
          ],
          "source": {
            "advisory": "GHSA-265r-hfxg-fhmg",
            "discovery": "UNKNOWN"
          },
          "title": "containerd has an integer overflow in User ID handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-40635",
        "datePublished": "2025-03-17T21:32:37.894Z",
        "dateReserved": "2024-07-08T16:13:15.511Z",
        "dateUpdated": "2025-05-04T22:02:39.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25173 (GCVE-0-2023-25173)

    Vulnerability from nvd – Published: 2023-02-16 14:09 – Updated: 2025-03-10 21:10
    VLAI
    Title
    containerd supplementary groups are not set up properly
    Summary
    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.18
    Affected: >= 1.6.0, < 1.6.18
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.671Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
              },
              {
                "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
              },
              {
                "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
              },
              {
                "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
              },
              {
                "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
              },
              {
                "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25173",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:00:44.060345Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:10:38.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.18"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.18"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T20:06:31.329Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
            },
            {
              "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
            },
            {
              "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
            },
            {
              "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
            },
            {
              "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
            },
            {
              "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
            }
          ],
          "source": {
            "advisory": "GHSA-hmfx-3pcx-653p",
            "discovery": "UNKNOWN"
          },
          "title": "containerd supplementary groups are not set up properly"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25173",
        "datePublished": "2023-02-16T14:09:12.073Z",
        "dateReserved": "2023-02-03T16:59:18.247Z",
        "dateUpdated": "2025-03-10T21:10:38.648Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25153 (GCVE-0-2023-25153)

    Vulnerability from nvd – Published: 2023-02-16 14:09 – Updated: 2025-03-10 21:10
    VLAI
    Title
    containerd OCI image importer memory exhaustion
    Summary
    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.18
    Affected: >= 1.6.0, < 1.6.18
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.221Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25153",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:57:30.825093Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:10:44.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.18"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.18"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18.  Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-16T14:09:08.519Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
            }
          ],
          "source": {
            "advisory": "GHSA-259w-8hf6-59c2",
            "discovery": "UNKNOWN"
          },
          "title": "containerd OCI image importer memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25153",
        "datePublished": "2023-02-16T14:09:08.519Z",
        "dateReserved": "2023-02-03T16:59:18.242Z",
        "dateUpdated": "2025-03-10T21:10:44.159Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23471 (GCVE-0-2022-23471)

    Vulnerability from nvd – Published: 2022-12-07 22:51 – Updated: 2025-04-23 16:31
    VLAI
    Title
    containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak
    Summary
    containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.16
    Affected: >= 1.6.0, < 1.6.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:43:46.038Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-31"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23471",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:52:53.736356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T16:31:30.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in containerd\u0027s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user\u0027s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd\u0027s CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16.  Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-31T13:06:15.170Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0"
            },
            {
              "url": "https://security.gentoo.org/glsa/202401-31"
            }
          ],
          "source": {
            "advisory": "GHSA-2qjp-425j-52j9",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-23471",
        "datePublished": "2022-12-07T22:51:34.193Z",
        "dateReserved": "2022-01-19T21:23:53.757Z",
        "dateUpdated": "2025-04-23T16:31:30.024Z",
        "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31030 (GCVE-0-2022-31030)

    Vulnerability from nvd – Published: 2022-06-06 00:00 – Updated: 2024-08-03 07:03
    VLAI
    Title
    containerd CRI plugin: Host memory exhaustion through ExecSync
    Summary
    containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.13
    Affected: >= 1.6.0, < 1.6.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:03:40.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382"
              },
              {
                "name": "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/06/07/1"
              },
              {
                "name": "DSA-5162",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5162"
              },
              {
                "name": "FEDORA-2022-725ac93b48",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/"
              },
              {
                "name": "FEDORA-2022-1da581ac6d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/"
              },
              {
                "name": "GLSA-202401-31",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-31"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in the containerd\u0027s CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd\u0027s CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-31T13:06:25.784Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf"
            },
            {
              "url": "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382"
            },
            {
              "name": "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/06/07/1"
            },
            {
              "name": "DSA-5162",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5162"
            },
            {
              "name": "FEDORA-2022-725ac93b48",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/"
            },
            {
              "name": "FEDORA-2022-1da581ac6d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/"
            },
            {
              "name": "GLSA-202401-31",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202401-31"
            }
          ],
          "source": {
            "advisory": "GHSA-5ffw-gxpp-mxpf",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: Host memory exhaustion through ExecSync"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-31030",
        "datePublished": "2022-06-06T00:00:00.000Z",
        "dateReserved": "2022-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:03:40.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-53489 (GCVE-0-2026-53489)

    Vulnerability from cvelistv5 – Published: 2026-07-01 18:10 – Updated: 2026-07-01 18:10
    VLAI
    Title
    containerd: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
    Summary
    containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T18:10:41.802Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388"
            }
          ],
          "source": {
            "advisory": "GHSA-rgh6-rfwx-v388",
            "discovery": "UNKNOWN"
          },
          "title": "containerd: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53489",
        "datePublished": "2026-07-01T18:10:41.802Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T18:10:41.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53492 (GCVE-0-2026-53492)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:59 – Updated: 2026-07-01 17:59
    VLAI
    Title
    containerd CRI checkpoint restore CDI annotation smuggling
    Summary
    containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod\u0027s create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:59:12.552Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc"
            }
          ],
          "source": {
            "advisory": "GHSA-33vj-92qq-66hc",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI checkpoint restore CDI annotation smuggling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53492",
        "datePublished": "2026-07-01T17:59:12.552Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T17:59:12.552Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50195 (GCVE-0-2026-50195)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:50 – Updated: 2026-07-01 18:32
    VLAI
    Title
    containerd: CRI checkpoint import allows local image tag poisoning
    Summary
    containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T18:32:22.918998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T18:32:29.659Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image\u0027s configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node\u0027s local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker\u0027s malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod\u0027s identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:50:53.072Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574"
            }
          ],
          "source": {
            "advisory": "GHSA-cvxm-645q-p574",
            "discovery": "UNKNOWN"
          },
          "title": "containerd: CRI checkpoint import allows local image tag poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50195",
        "datePublished": "2026-07-01T17:50:53.072Z",
        "dateReserved": "2026-06-03T22:05:13.645Z",
        "dateUpdated": "2026-07-01T18:32:29.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47262 (GCVE-0-2026-47262)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:48 – Updated: 2026-07-01 18:34
    VLAI
    Title
    containerd image-triggered runtime DoS via unbounded group parsing
    Summary
    containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 1.7.0, < 1.7.33
    Affected: >= 2.0.0, < 2.0.10
    Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T18:33:54.105358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T18:34:06.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0, \u003c 1.7.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:48:43.205Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq"
            }
          ],
          "source": {
            "advisory": "GHSA-jpcc-p29g-p8mq",
            "discovery": "UNKNOWN"
          },
          "title": "containerd image-triggered runtime DoS via unbounded group parsing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47262",
        "datePublished": "2026-07-01T17:48:43.205Z",
        "dateReserved": "2026-05-18T23:03:37.229Z",
        "dateUpdated": "2026-07-01T18:34:06.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46680 (GCVE-0-2026-46680)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:40 – Updated: 2026-07-01 17:40
    VLAI
    Title
    containerd user ID handling bypass allows runAsNonRoot evasion
    Summary
    containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.32
    Affected: >= 2.0.4, < 2.0.9
    Affected: >= 2.0.10, < 2.2.4
    Affected: >= 2.2.5, < 2.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.32"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.4, \u003c 2.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.10, \u003c 2.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.5, \u003c 2.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:40:25.499Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w"
            }
          ],
          "source": {
            "advisory": "GHSA-fqw6-gf59-qr4w",
            "discovery": "UNKNOWN"
          },
          "title": "containerd user ID handling bypass allows runAsNonRoot evasion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46680",
        "datePublished": "2026-07-01T17:40:25.499Z",
        "dateReserved": "2026-05-15T21:46:51.547Z",
        "dateUpdated": "2026-07-01T17:40:25.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53488 (GCVE-0-2026-53488)

    Vulnerability from cvelistv5 – Published: 2026-07-01 00:11 – Updated: 2026-07-01 14:26
    VLAI
    Title
    containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
    Summary
    containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.33
    Affected: >= 2.0.0, < 2.0.10
    Affected: >= 2.1.0, < 2.1.9
    Affected: >= 2.2.0, < 2.2.5
    Affected: >= 2.3.0, < 2.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53488",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T13:34:04.424739Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:26:09.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0, \u003c 2.1.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.3.0, \u003c 2.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T00:11:20.610Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"
            }
          ],
          "source": {
            "advisory": "GHSA-xhf5-7wjv-pqxp",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: \u2014 image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53488",
        "datePublished": "2026-07-01T00:11:20.610Z",
        "dateReserved": "2026-06-09T17:05:25.059Z",
        "dateUpdated": "2026-07-01T14:26:09.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64329 (GCVE-0-2025-64329)

    Vulnerability from cvelistv5 – Published: 2025-11-07 04:15 – Updated: 2025-11-07 17:42
    VLAI
    Title
    containerd CRI server: Host memory exhaustion through Attach goroutine leak
    Summary
    containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.29
    Affected: < 2.0.7
    Affected: >= 2.1.0-beta.0, < 2.1.5
    Affected: >= 2.2.0-beta.0, < 2.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64329",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-07T17:41:50.476907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-07T17:42:07.929Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.29"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-07T04:15:09.381Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df"
            }
          ],
          "source": {
            "advisory": "GHSA-m6hq-p25p-ffr2",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI server: Host memory exhaustion through Attach goroutine leak"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64329",
        "datePublished": "2025-11-07T04:15:09.381Z",
        "dateReserved": "2025-10-30T17:40:52.028Z",
        "dateUpdated": "2025-11-07T17:42:07.929Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-25621 (GCVE-0-2024-25621)

    Vulnerability from cvelistv5 – Published: 2025-11-06 18:36 – Updated: 2025-11-06 19:35
    VLAI
    Title
    containerd affected by a local privilege escalation via wide permissions on CRI directory
    Summary
    containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-279 - Incorrect Execution-Assigned Permissions
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.7.29
    Affected: >= 2.0.0-beta.0, < 2.0.7
    Affected: >= 2.1.0-beta.0, < 2.1.5
    Affected: >= 2.2.0-beta.0, < 2.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25621",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-06T19:34:44.710425Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-06T19:35:13.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.7.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-beta.0, \u003c 2.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-279",
                  "description": "CWE-279: Incorrect Execution-Assigned Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-06T18:36:21.566Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5"
            },
            {
              "name": "https://github.com/containerd/containerd/blob/main/docs/rootless.md",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md"
            }
          ],
          "source": {
            "advisory": "GHSA-pwhc-rpq9-4c8w",
            "discovery": "UNKNOWN"
          },
          "title": "containerd affected by a local privilege escalation via wide permissions on CRI directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25621",
        "datePublished": "2025-11-06T18:36:21.566Z",
        "dateReserved": "2024-02-08T22:26:33.511Z",
        "dateUpdated": "2025-11-06T19:35:13.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47291 (GCVE-0-2025-47291)

    Vulnerability from cvelistv5 – Published: 2025-05-21 17:26 – Updated: 2025-05-21 19:19
    VLAI
    Title
    containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.
    Summary
    containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    containerd containerd Affected: >= 2.0.1, < 2.0.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47291",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T19:19:32.387955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T19:19:39.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.1, \u003c 2.0.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. A bug was found in the containerd\u0027s CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn\u0027t put usernamespaced containers under the Kubernetes\u0027 cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266: Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T17:26:31.141Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff"
            }
          ],
          "source": {
            "advisory": "GHSA-cxfp-7pvr-95ff",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods."
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47291",
        "datePublished": "2025-05-21T17:26:31.141Z",
        "dateReserved": "2025-05-05T16:53:10.374Z",
        "dateUpdated": "2025-05-21T19:19:39.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47290 (GCVE-0-2025-47290)

    Vulnerability from cvelistv5 – Published: 2025-05-20 18:25 – Updated: 2025-05-20 18:44
    VLAI
    Title
    Containerd vulnerable to host filesystem access during image unpack
    Summary
    containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: = 2.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-20T18:43:21.823258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-20T18:44:19.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 2.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0.  Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-20T18:25:51.703Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v2.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v2.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-cm76-qm8v-3j95",
            "discovery": "UNKNOWN"
          },
          "title": "Containerd vulnerable to host filesystem access during image unpack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47290",
        "datePublished": "2025-05-20T18:25:51.703Z",
        "dateReserved": "2025-05-05T16:53:10.374Z",
        "dateUpdated": "2025-05-20T18:44:19.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40635 (GCVE-0-2024-40635)

    Vulnerability from cvelistv5 – Published: 2025-03-17 21:32 – Updated: 2025-05-04 22:02
    VLAI
    Title
    containerd has an integer overflow in User ID handling
    Summary
    containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.6.38
    Affected: >= 1.7.0-beta.0, < 1.7.27
    Affected: >= 2.0.0-beta.0, < 2.0.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-18T14:17:05.162920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-18T14:17:14.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-04T22:02:39.748Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.38"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c 1.7.27"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-beta.0, \u003c 2.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-17T21:32:37.894Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a"
            }
          ],
          "source": {
            "advisory": "GHSA-265r-hfxg-fhmg",
            "discovery": "UNKNOWN"
          },
          "title": "containerd has an integer overflow in User ID handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-40635",
        "datePublished": "2025-03-17T21:32:37.894Z",
        "dateReserved": "2024-07-08T16:13:15.511Z",
        "dateUpdated": "2025-05-04T22:02:39.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25173 (GCVE-0-2023-25173)

    Vulnerability from cvelistv5 – Published: 2023-02-16 14:09 – Updated: 2025-03-10 21:10
    VLAI
    Title
    containerd supplementary groups are not set up properly
    Summary
    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.18
    Affected: >= 1.6.0, < 1.6.18
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.671Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
              },
              {
                "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
              },
              {
                "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
              },
              {
                "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
              },
              {
                "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
              },
              {
                "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25173",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:00:44.060345Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:10:38.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.18"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.18"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T20:06:31.329Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
            },
            {
              "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
            },
            {
              "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
            },
            {
              "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
            },
            {
              "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
            },
            {
              "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
            }
          ],
          "source": {
            "advisory": "GHSA-hmfx-3pcx-653p",
            "discovery": "UNKNOWN"
          },
          "title": "containerd supplementary groups are not set up properly"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25173",
        "datePublished": "2023-02-16T14:09:12.073Z",
        "dateReserved": "2023-02-03T16:59:18.247Z",
        "dateUpdated": "2025-03-10T21:10:38.648Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25153 (GCVE-0-2023-25153)

    Vulnerability from cvelistv5 – Published: 2023-02-16 14:09 – Updated: 2025-03-10 21:10
    VLAI
    Title
    containerd OCI image importer memory exhaustion
    Summary
    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.18
    Affected: >= 1.6.0, < 1.6.18
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.221Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
              },
              {
                "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25153",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:57:30.825093Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:10:44.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.18"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.18"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18.  Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-16T14:09:08.519Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
            }
          ],
          "source": {
            "advisory": "GHSA-259w-8hf6-59c2",
            "discovery": "UNKNOWN"
          },
          "title": "containerd OCI image importer memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25153",
        "datePublished": "2023-02-16T14:09:08.519Z",
        "dateReserved": "2023-02-03T16:59:18.242Z",
        "dateUpdated": "2025-03-10T21:10:44.159Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23471 (GCVE-0-2022-23471)

    Vulnerability from cvelistv5 – Published: 2022-12-07 22:51 – Updated: 2025-04-23 16:31
    VLAI
    Title
    containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak
    Summary
    containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.16
    Affected: >= 1.6.0, < 1.6.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:43:46.038Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9"
              },
              {
                "name": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-31"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23471",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:52:53.736356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T16:31:30.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in containerd\u0027s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user\u0027s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd\u0027s CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16.  Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-31T13:06:15.170Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0"
            },
            {
              "url": "https://security.gentoo.org/glsa/202401-31"
            }
          ],
          "source": {
            "advisory": "GHSA-2qjp-425j-52j9",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-23471",
        "datePublished": "2022-12-07T22:51:34.193Z",
        "dateReserved": "2022-01-19T21:23:53.757Z",
        "dateUpdated": "2025-04-23T16:31:30.024Z",
        "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31030 (GCVE-0-2022-31030)

    Vulnerability from cvelistv5 – Published: 2022-06-06 00:00 – Updated: 2024-08-03 07:03
    VLAI
    Title
    containerd CRI plugin: Host memory exhaustion through ExecSync
    Summary
    containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    containerd containerd Affected: < 1.5.13
    Affected: >= 1.6.0, < 1.6.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:03:40.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382"
              },
              {
                "name": "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/06/07/1"
              },
              {
                "name": "DSA-5162",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5162"
              },
              {
                "name": "FEDORA-2022-725ac93b48",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/"
              },
              {
                "name": "FEDORA-2022-1da581ac6d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/"
              },
              {
                "name": "GLSA-202401-31",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-31"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "containerd",
              "vendor": "containerd",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in the containerd\u0027s CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd\u0027s CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-31T13:06:25.784Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf"
            },
            {
              "url": "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382"
            },
            {
              "name": "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/06/07/1"
            },
            {
              "name": "DSA-5162",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5162"
            },
            {
              "name": "FEDORA-2022-725ac93b48",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/"
            },
            {
              "name": "FEDORA-2022-1da581ac6d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/"
            },
            {
              "name": "GLSA-202401-31",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202401-31"
            }
          ],
          "source": {
            "advisory": "GHSA-5ffw-gxpp-mxpf",
            "discovery": "UNKNOWN"
          },
          "title": "containerd CRI plugin: Host memory exhaustion through ExecSync"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-31030",
        "datePublished": "2022-06-06T00:00:00.000Z",
        "dateReserved": "2022-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:03:40.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }