CVE-2022-23648
published 2022-03-03CVE-2022-23648: containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
27.39%
97.8th percentile
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.4.13 | 1.4.13 |
| containerd | containerd | — | — |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u1 | 1.4.13~ds1-1~deb11u1 |
| containerd | containerd | >= 0 < 1.6.1~ds1-1 | 1.6.1~ds1-1 |
| containerd | containerd | >= 0 < 1.6.1~ds1-1 | 1.6.1~ds1-1 |
| containerd | containerd | >= 0 < 1.6.1~ds1-1 | 1.6.1~ds1-1 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm2 | 1.2.6-0ubuntu1~16.04.6+esm2 |
| debian | containerd | < containerd 1.6.1~ds1-1 (bookworm) | containerd 1.6.1~ds1-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | containerd_containerd | >= 0 < 1.4.13 | 1.4.13 |
| github.com | containerd_containerd | >= 1.5.0 < 1.5.10 | 1.5.10 |
| github.com | containerd_containerd | >= 1.6.0 < 1.6.1 | 1.6.1 |
| linuxfoundation | containerd | < 1.4.13 | 1.4.13 |
| linuxfoundation | containerd | >= 1.5.0 < 1.5.10 | 1.5.10 |
| linuxfoundation | containerd | >= 1.6.0 < 1.6.1 | 1.6.1 |
| msrc | cm1_moby-containerd_1.5.9+azure-3_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation by inspecting OCI image configurations (image blob config) for path traversal sequences in Config.Volumes paths — a Volume path containing traversal (e.g., '../') is the attack primitive used to copy arbitrary host files into the container. ↗
- →The vulnerability is triggered via containerd's CRI plugin when handling OCI image specs containing 'Volumes' with path traversal. Monitor for unexpected file copies from host paths into container-mounted paths, which is the observable effect of the copyExistingContents function being abused. ↗
- →Alert on pod creation events where the container image config includes Config.Volumes entries with path traversal patterns. An attacker with pod creation privileges can trigger the vulnerability without using actual Kubernetes volumes. ↗
- ·cri-o is not affected by this flaw; Red Hat products that use cri-o as the default runtime are not impacted, reducing detection priority in those environments. ↗
- ·Exploitation may bypass policy-based enforcement such as Kubernetes Pod Security Policy, meaning PSP-based detections or controls will not prevent or surface this attack. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2022-07-15·CVSS 5.0
CVE-2021-32760 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered t
Ubuntu
containerd regression
vendor_ubuntu·2022-05-16
CVE-2022-23648 containerd regression
Title: containerd regression
Summary: USN-5311-1 fix was reverted by mistake in containerd.
USN-5311-1 released updates for contained. Unfortunately, a subsequent update
reverted the fix for this CVE by mistake. This update corrects the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that containerd allows attackers to gain access to read-
only copies of arbitrary files and directories on the host via a specially-
crafted image configuration. An attacker could possibly use this issue to
obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Insecure handling of image volumes in containerd CRI plugin
vendor_msrc·2022-03-08·CVSS 7.5
CVE-2022-23648 [HIGH] CWE-200 Insecure handling of image volumes in containerd CRI plugin
Insecure handling of image volumes in containerd CRI plugin
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: htt
Ubuntu
containerd vulnerability
vendor_ubuntu·2022-03-03
CVE-2022-23648 containerd vulnerability
Title: containerd vulnerability
Summary: containerd would allow unintended access to files over the network.
It was discovered that containerd allows attackers to gain access to read-
only copies of arbitrary files and directories on the host via a specially-
crafted image configuration. An attacker could possibly use this issue to
obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
containerd: insecure handling of image volumes
vendor_redhat·2022-03-02·CVSS 7.5
CVE-2022-23648 [HIGH] CWE-552 containerd: insecure handling of image volumes
containerd: insecure handling of image volumes
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
An information leak was di
Debian
CVE-2022-23648: containerd - containerd is a container runtime available as a daemon for Linux and Windows. A...
vendor_debian·2022·CVSS 7.5
CVE-2022-23648 [HIGH] CVE-2022-23648: containerd - containerd is a container runtime available as a daemon for Linux and Windows. A...
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
Scope: local
bookworm: resolved (fixed in 1.6.1~ds1-1)
bullseye: resolved (
OSV
containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd
osv·2024-08-21
CVE-2022-23648 containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd
containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd
containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd
OSV
containerd vulnerabilities
osv·2022-07-15·CVSS 6.3
CVE-2021-41103 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered that containerd allows attackers to gain access to read-
only copies
OSV
CVE-2022-23648: containerd is a container runtime available as a daemon for Linux and Windows
osv·2022-03-03·CVSS 7.5
CVE-2022-23648 [HIGH] CVE-2022-23648: containerd is a container runtime available as a daemon for Linux and Windows
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
OSV
containerd CRI plugin: Insecure handling of image volumes
osv·2022-03-02
CVE-2022-23648 [HIGH] containerd CRI plugin: Insecure handling of image volumes
containerd CRI plugin: Insecure handling of image volumes
### Impact
A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
### Patches
This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used.
### Credits
The containerd project would like to thank Felix W
GHSA
containerd CRI plugin: Insecure handling of image volumes
ghsa·2022-03-02
CVE-2022-23648 [HIGH] CWE-200 containerd CRI plugin: Insecure handling of image volumes
containerd CRI plugin: Insecure handling of image volumes
### Impact
A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
### Patches
This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used.
### Credits
The containerd project would like to thank Felix W
No detection rules found.
No public exploits indexed.
Crowdstrike
Understanding CVE-2022-23648 Kubernetes Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Understanding CVE-2022-23648 Kubernetes Vulnerability
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Understanding CVE-2022-23648 Kubernetes Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Understanding CVE-2022-23648 Kubernetes Vulnerability
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.htmlhttps://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70https://github.com/containerd/containerd/releases/tag/v1.4.13https://github.com/containerd/containerd/releases/tag/v1.5.10https://github.com/containerd/containerd/releases/tag/v1.6.1https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5091http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.htmlhttps://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70https://github.com/containerd/containerd/releases/tag/v1.4.13https://github.com/containerd/containerd/releases/tag/v1.5.10https://github.com/containerd/containerd/releases/tag/v1.6.1https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5091
2022-03-03
Published