CVE-2022-31030
published 2022-06-09CVE-2022-31030: containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the…
PriorityP422medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.38%
29.5th percentile
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.5.13 | 1.5.13 |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u2 | 1.4.13~ds1-1~deb11u2 |
| containerd | containerd | >= 0 < 1.6.6~ds1-1 | 1.6.6~ds1-1 |
| containerd | containerd | >= 0 < 1.6.6~ds1-1 | 1.6.6~ds1-1 |
| containerd | containerd | >= 0 < 1.6.6~ds1-1 | 1.6.6~ds1-1 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu1~18.04.2 | 1.5.9-0ubuntu1~18.04.2 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu1~20.04.6 | 1.5.9-0ubuntu1~20.04.6 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu3.1 | 1.5.9-0ubuntu3.1 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm2 | 1.2.6-0ubuntu1~16.04.6+esm2 |
| debian | containerd | < containerd 1.6.6~ds1-1 (bookworm) | containerd 1.6.6~ds1-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | containerd_containerd | >= 0 < 1.5.13 | 1.5.13 |
| github.com | containerd_containerd | >= 1.6.0 < 1.6.6 | 1.6.6 |
| linuxfoundation | containerd | < 1.5.13 | 1.5.13 |
| linuxfoundation | containerd | >= 1.6.0 < 1.6.6 | 1.6.6 |
| msrc | cbl2_moby-containerd_1.6.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_moby-containerd_1.6.6+azure-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_ubuntu5.7MEDIUM
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2022-12-13·CVSS 5.7
CVE-2022-24778 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)
It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)
It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypte
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2022-07-15·CVSS 5.0
CVE-2021-32760 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered t
Microsoft
containerd CRI plugin: Host memory exhaustion through ExecSync
vendor_msrc·2022-06-14·CVSS 5.5
CVE-2022-31030 [MEDIUM] CWE-400 containerd CRI plugin: Host memory exhaustion through ExecSync
containerd CRI plugin: Host memory exhaustion through ExecSync
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Debian
CVE-2022-31030: containerd - containerd is an open source container runtime. A bug was found in the container...
vendor_debian·2022·CVSS 5.5
CVE-2022-31030 [MEDIUM] CVE-2022-31030: containerd - containerd is an open source container runtime. A bug was found in the container...
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
Scope: local
bookworm: resolved (fixed in 1.6.6~ds1-1)
OSV
containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd
osv·2024-08-21
CVE-2022-31030 containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd
containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd
containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd
OSV
containerd vulnerabilities
osv·2022-12-13·CVSS 6.5
CVE-2022-23471 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)
It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)
It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypted images from other users.
This issue only affected Ubuntu 18.04 LT
OSV
containerd vulnerabilities
osv·2022-07-15·CVSS 6.3
CVE-2021-41103 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered that containerd allows attackers to gain access to read-
only copies
OSV
CVE-2022-31030: containerd is an open source container runtime
osv·2022-06-09·CVSS 5.5
CVE-2022-31030 [MEDIUM] CVE-2022-31030: containerd is an open source container runtime
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
OSV
containerd CRI plugin: Host memory exhaustion through ExecSync
osv·2022-06-06
CVE-2022-31030 [MEDIUM] containerd CRI plugin: Host memory exhaustion through ExecSync
containerd CRI plugin: Host memory exhaustion through ExecSync
### Impact
A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility.
### Patches
This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images and commands are used.
### References
* Similar fi
GHSA
containerd CRI plugin: Host memory exhaustion through ExecSync
ghsa·2022-06-06
CVE-2022-31030 [MEDIUM] CWE-400 containerd CRI plugin: Host memory exhaustion through ExecSync
containerd CRI plugin: Host memory exhaustion through ExecSync
### Impact
A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility.
### Patches
This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images and commands are used.
### References
* Similar fi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/06/07/1https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpfhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5162http://www.openwall.com/lists/oss-security/2022/06/07/1https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpfhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5162
2022-06-09
Published