ghsa-m6hq-p25p-ffr2
Vulnerability from github
Published
2025-11-06 23:32
Modified
2025-11-07 16:42
Severity ?
6.9 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
containerd CRI server: Host memory exhaustion through Attach goroutine leak
Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources. e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0-beta.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0-beta.0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-06T23:32:23Z",
    "nvd_published_at": "2025-11-07T05:16:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA bug was found in containerd\u0027s CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. \n\nRepetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd.\n\n### Patches\n\nThis bug has been fixed in the following containerd versions:\n\n* 2.2.0\n* 2.1.5\n* 2.0.7\n* 1.7.29\n\nUsers should update to these versions to resolve the issue.\n\n### Workarounds\n\nSet up an admission controller to control accesses to `pods/attach` resources.\ne.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/).\n\n### Credits\n\nThe containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md).\n\n### References\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security issue in containerd:\n\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)",
  "id": "GHSA-m6hq-p25p-ffr2",
  "modified": "2025-11-07T16:42:55Z",
  "published": "2025-11-06T23:32:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containerd/containerd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "containerd CRI server: Host memory exhaustion through Attach goroutine leak"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.