Refine your search
2 vulnerabilities found for by containerd
CVE-2025-64329 (GCVE-0-2025-64329)
Vulnerability from cvelistv5
Published
2025-11-07 04:15
Modified
2025-11-07 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Summary
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.7.29 Version: < 2.0.7 Version: >= 2.1.0-beta.0, < 2.1.5 Version: >= 2.2.0-beta.0, < 2.2.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T17:41:50.476907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:42:07.929Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "containerd",
"vendor": "containerd",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.29"
},
{
"status": "affected",
"version": "\u003c 2.0.7"
},
{
"status": "affected",
"version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
},
{
"status": "affected",
"version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T04:15:09.381Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"
},
{
"name": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df"
}
],
"source": {
"advisory": "GHSA-m6hq-p25p-ffr2",
"discovery": "UNKNOWN"
},
"title": "containerd CRI server: Host memory exhaustion through Attach goroutine leak"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64329",
"datePublished": "2025-11-07T04:15:09.381Z",
"dateReserved": "2025-10-30T17:40:52.028Z",
"dateUpdated": "2025-11-07T17:42:07.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-25621 (GCVE-0-2024-25621)
Vulnerability from cvelistv5
Published
2025-11-06 18:36
Modified
2025-11-06 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-279 - Incorrect Execution-Assigned Permissions
Summary
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.7.29 Version: >= 2.0.0-beta.0, < 2.0.7 Version: >= 2.1.0-beta.0, < 2.1.5 Version: >= 2.2.0-beta.0, < 2.2.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T19:34:44.710425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T19:35:13.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "containerd",
"vendor": "containerd",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.29"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-beta.0, \u003c 2.0.7"
},
{
"status": "affected",
"version": "\u003e= 2.1.0-beta.0, \u003c 2.1.5"
},
{
"status": "affected",
"version": "\u003e= 2.2.0-beta.0, \u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-279",
"description": "CWE-279: Incorrect Execution-Assigned Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T18:36:21.566Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"
},
{
"name": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5"
},
{
"name": "https://github.com/containerd/containerd/blob/main/docs/rootless.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md"
}
],
"source": {
"advisory": "GHSA-pwhc-rpq9-4c8w",
"discovery": "UNKNOWN"
},
"title": "containerd affected by a local privilege escalation via wide permissions on CRI directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25621",
"datePublished": "2025-11-06T18:36:21.566Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2025-11-06T19:35:13.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}