CVE-2023-25153
published 2023-02-16CVE-2023-25153: containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read…
PriorityP420medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.44%
35.1th percentile
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.5.18 | 1.5.18 |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u4 | 1.4.13~ds1-1~deb11u4 |
| containerd | containerd | >= 0 < 1.6.18~ds1-1 | 1.6.18~ds1-1 |
| containerd | containerd | >= 0 < 1.6.18~ds1-1 | 1.6.18~ds1-1 |
| containerd | containerd | >= 0 < 1.6.18~ds1-1 | 1.6.18~ds1-1 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~20.04.3 | 1.6.12-0ubuntu1~20.04.3 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~22.04.3 | 1.6.12-0ubuntu1~22.04.3 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm4 | 1.2.6-0ubuntu1~16.04.6+esm4 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~18.04.1+esm1 | 1.6.12-0ubuntu1~18.04.1+esm1 |
| debian | containerd | < containerd 1.6.18~ds1-1 (bookworm) | containerd 1.6.18~ds1-1 (bookworm) |
| github.com | containerd_containerd | >= 0 < 1.5.18 | 1.5.18 |
| github.com | containerd_containerd | >= 1.6.0 < 1.6.18 | 1.6.18 |
| linuxfoundation | containerd | < 1.5.18 | 1.5.18 |
| linuxfoundation | containerd | >= 1.6.0 < 1.6.18 | 1.6.18 |
| msrc | azl3_moby-engine_20.10.25-3_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_k3s_1.25.5-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-containerd_1.6.18-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_20.10.14-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian6.2MEDIUM
vendor_redhat6.2MEDIUM
vendor_ubuntu6.2MEDIUM
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SCALANCE XCM-/XRM-300
cisa_ics·2024-02-15
Siemens SCALANCE XCM-/XRM-300
ICS Advisory
##
Siemens SCALANCE XCM-/XRM-300
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM-/XRM-300
- Vulnerabilities: Out-of-bounds Write, Incorrect Type Conversion or Cast, Improper Verification of Cryptographic Signature, Improper Access Control, Improper Authentication, Missing Encryption
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2023-07-05·CVSS 6.2
CVE-2023-25153 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
David Korczynski and Adam Korczynski discovered that containerd
incorrectly processed certain images with large files. An attacker
could possibly use this issue to cause containerd to crash,
resulting in a denial of service. (CVE-2023-25153)
It was discovered that containerd incorrectly set up supplementary
groups inside a container. An attacker with direct access to the
container could possibly use this issue to obtain sensitive information
or execute code with higher privileges. (CVE-2023-25173)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
containerd: OCI image importer memory exhaustion
vendor_redhat·2023-02-15·CVSS 6.2
CVE-2023-25153 [MEDIUM] CWE-400 containerd: OCI image importer memory exhaustion
containerd: OCI image importer memory exhaustion
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
A flaw was found in containerd. When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file, where a limit was not applied could cause a denial
Microsoft
containerd OCI image importer memory exhaustion
vendor_msrc·2023-02-14·CVSS 5.5
CVE-2023-25153 [MEDIUM] CWE-770 containerd OCI image importer memory exhaustion
containerd OCI image importer memory exhaustion
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.m
Debian
CVE-2023-25153: containerd - containerd is an open source container runtime. Before versions 1.6.18 and 1.5.1...
vendor_debian·2023·CVSS 6.2
CVE-2023-25153 [MEDIUM] CVE-2023-25153: containerd - containerd is an open source container runtime. Before versions 1.6.18 and 1.5.1...
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Scope: local
bookworm: resolved (fixed in 1.6.18~ds1-1)
bullseye: resolved (fixed in 1.4.13~ds1-1~deb11u4)
forky: resolved (fixed in 1.6.18~ds1-1)
sid: resolved (fixed in 1.6.18~ds1-1)
trixie: resolved (fixed in 1.6.18~ds1-1)
OSV
containerd vulnerabilities
osv·2023-07-05·CVSS 5.5
CVE-2023-25153 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
David Korczynski and Adam Korczynski discovered that containerd
incorrectly processed certain images with large files. An attacker
could possibly use this issue to cause containerd to crash,
resulting in a denial of service. (CVE-2023-25153)
It was discovered that containerd incorrectly set up supplementary
groups inside a container. An attacker with direct access to the
container could possibly use this issue to obtain sensitive information
or execute code with higher privileges. (CVE-2023-25173)
OSV
Memory exhaustion via OCI image importer in github.com/containerd/containerd
osv·2023-02-17
CVE-2023-25153 Memory exhaustion via OCI image importer in github.com/containerd/containerd
Memory exhaustion via OCI image importer in github.com/containerd/containerd
When importing an OCI image, there was no limit on the number of bytes read from the io.Reader passed into ImportIndex. A large number of bytes could be read from this and could cause a denial of service.
GHSA
OCI image importer memory exhaustion in github.com/containerd/containerd
ghsa·2023-02-16
CVE-2023-25153 [MEDIUM] CWE-400 OCI image importer memory exhaustion in github.com/containerd/containerd
OCI image importer memory exhaustion in github.com/containerd/containerd
### Impact
When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.
### Patches
This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images.
### Credits
The containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski) and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly disclosing this issue in accordance with the [containerd securit
OSV
CVE-2023-25153: containerd is an open source container runtime
osv·2023-02-16·CVSS 5.5
CVE-2023-25153 [MEDIUM] CVE-2023-25153: containerd is an open source container runtime
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
OSV
OCI image importer memory exhaustion in github.com/containerd/containerd
osv·2023-02-16
CVE-2023-25153 [MEDIUM] OCI image importer memory exhaustion in github.com/containerd/containerd
OCI image importer memory exhaustion in github.com/containerd/containerd
### Impact
When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.
### Patches
This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images.
### Credits
The containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski) and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly disclosing this issue in accordance with the [containerd securit
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4https://github.com/containerd/containerd/releases/tag/v1.5.18https://github.com/containerd/containerd/releases/tag/v1.6.18https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4https://github.com/containerd/containerd/releases/tag/v1.5.18https://github.com/containerd/containerd/releases/tag/v1.6.18https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
2023-02-16
Published