CVE-2024-25621
published 2025-11-06CVE-2024-25621: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through…
PriorityP342high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.14%
4.2th percentile
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.7.29 | 1.7.29 |
| containerd | containerd | — | — |
| containerd | containerd | — | — |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u6 | 1.4.13~ds1-1~deb11u6 |
| containerd | containerd | >= 0 < 1.6.20~ds1-1+deb12u2 | 1.6.20~ds1-1+deb12u2 |
| containerd | containerd | >= 0 < 1.7.24~ds1-6+deb13u1 | 1.7.24~ds1-6+deb13u1 |
| containerd | containerd | >= 0 < 1.7.24~ds1-9 | 1.7.24~ds1-9 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~22.04.10 | 1.6.12-0ubuntu1~22.04.10 |
| containerd | containerd | >= 0 < 1.7.24~ds1-8ubuntu1.1 | 1.7.24~ds1-8ubuntu1.1 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm6 | 1.2.6-0ubuntu1~16.04.6+esm6 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~18.04.1+esm3 | 1.6.12-0ubuntu1~18.04.1+esm3 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~20.04.8+esm1 | 1.6.12-0ubuntu1~20.04.8+esm1 |
| containerd | containerd | >= 0 < 1.6.24~ds1-1ubuntu1.3+esm2 | 1.6.24~ds1-1ubuntu1.3+esm2 |
| debian | containerd | < containerd 1.6.20~ds1-1+deb12u2 (bookworm) | containerd 1.6.20~ds1-1+deb12u2 (bookworm) |
| github.com | containerd_containerd | >= 0 < 1.7.29 | 1.7.29 |
| github.com | containerd_containerd_v2 | >= 0 < 2.0.7 | 2.0.7 |
| github.com | containerd_containerd_v2 | >= 2.1.0-beta.0 < 2.1.5 | 2.1.5 |
| github.com | containerd_containerd_v2 | >= 2.2.0-beta.0 < 2.2.0 | 2.2.0 |
| linuxfoundation | containerd | < 1.7.29 | 1.7.29 |
| linuxfoundation | containerd | — | — |
| linuxfoundation | containerd | >= 2.0.0 < 2.0.7 | 2.0.7 |
| linuxfoundation | containerd | >= 2.1.0 < 2.1.5 | 2.1.5 |
| msrc | azl3_containerd2_2.0.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-containerd-cc_1.7.7-9_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.3HIGH
vendor_msrc7.3HIGH
vendor_redhat7.3HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
containerd, containerd-app vulnerabilities
osv·2026-01-29·CVSS 7.8
CVE-2024-25621 [HIGH] containerd, containerd-app vulnerabilities
containerd, containerd-app vulnerabilities
David Leadbeater discovered that containerd incorrectly set certain
directory path permissions. An attacker could possibly use this issue to
achieve unauthorised access to the files. (CVE-2024-25621)
It was discovered that containerd did not properly handle the execution
of the goroutine of container attach. An attacker could possibly use this
issue to cause a denial of service. (CVE-2025-64329)
OSV
containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
osv·2025-11-17
CVE-2024-25621 containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
GHSA
containerd affected by a local privilege escalation via wide permissions on CRI directory
ghsa·2025-11-06
CVE-2024-25621 [HIGH] CWE-279 containerd affected by a local privilege escalation via wide permissions on CRI directory
containerd affected by a local privilege escalation via wide permissions on CRI directory
### Impact
An overly broad default permission vulnerability was found in containerd.
- `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700
- Allowed local users on the host to potentially access the metadata store and the content store
- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700
- Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o
OSV
CVE-2024-25621: containerd is an open-source container runtime
osv·2025-11-06·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621: containerd is an open-source container runtime
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
OSV
containerd affected by a local privilege escalation via wide permissions on CRI directory
osv·2025-11-06
CVE-2024-25621 [HIGH] containerd affected by a local privilege escalation via wide permissions on CRI directory
containerd affected by a local privilege escalation via wide permissions on CRI directory
### Impact
An overly broad default permission vulnerability was found in containerd.
- `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700
- Allowed local users on the host to potentially access the metadata store and the content store
- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700
- Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-01-29·CVSS 7.3
CVE-2024-25621 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
David Leadbeater discovered that containerd incorrectly set certain
directory path permissions. An attacker could possibly use this issue to
achieve unauthorised access to the files. (CVE-2024-25621)
It was discovered that containerd did not properly handle the execution
of the goroutine of container attach. An attacker could possibly use this
issue to cause a denial of service. (CVE-2025-64329)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
containerd affected by a local privilege escalation via wide permissions on CRI directory
vendor_msrc·2025-11-11·CVSS 7.3
CVE-2024-25621 [HIGH] CWE-279 containerd affected by a local privilege escalation via wide permissions on CRI directory
containerd affected by a local privilege escalation via wide permissions on CRI directory
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
github.com/containerd/containerd: containerd local privilege escalation
vendor_redhat·2025-11-06·CVSS 7.3
CVE-2024-25621 [HIGH] CWE-279 github.com/containerd/containerd: containerd local privilege escalation
github.com/containerd/containerd: containerd local privilege escalation
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
A local privilege escalation vulnerability has
Debian
CVE-2024-25621: containerd - containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2...
vendor_debian·2024·CVSS 7.3
CVE-2024-25621 [HIGH] CVE-2024-25621: containerd - containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2...
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Scope: local
bookworm: resolved (fixed in 1.6.20~ds1-1+deb12u2)
bullseye: resolved (fixed in 1.4.13~ds1-1~deb11u6)
forky:
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-25621 golang-gvisor: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 golang-gvisor: containerd local privilege escalation [fedora-42]
CVE-2024-25621 golang-gvisor: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2024-25621 cri-o1.34: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.34: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.34: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
Does not affect cri-o
---
Corrected: https://pkg.go.dev/vuln/GO-2025-4100
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for
Bugzilla
CVE-2024-25621 source-to-image: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 source-to-image: containerd local privilege escalation [fedora-42]
CVE-2024-25621 source-to-image: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2024-25621 cri-o1.33: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.33: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.33: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
govulncheck verified. https://pkg.go.dev/vuln/GO-2025-4100
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 o
Bugzilla
CVE-2024-25621 pack: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 pack: containerd local privilege escalation [fedora-42]
CVE-2024-25621 pack: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rele
Bugzilla
CVE-2024-25621 golang-github-moby-buildkit: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 golang-github-moby-buildkit: containerd local privilege escalation [fedora-42]
CVE-2024-25621 golang-github-moby-buildkit: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close al
Bugzilla
CVE-2024-25621 golang-github-containerd-fuse-overlayfs-snapshotter: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 golang-github-containerd-fuse-overlayfs-snapshotter: containerd local privilege escalation [fedora-42]
CVE-2024-25621 golang-github-containerd-fuse-overlayfs-snapshotter: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fed
Bugzilla
CVE-2024-25621 cri-o1.30: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.30: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.30: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2024-25621 cri-o1.31: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.31: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.31: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2024-25621 reg: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 reg: containerd local privilege escalation [fedora-42]
CVE-2024-25621 reg: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from relea
Bugzilla
CVE-2024-25621 cri-o1.29: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.29: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.29: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2024-25621 cri-o1.32: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o1.32: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o1.32: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
govulncheck confirmed: https://pkg.go.dev/vuln/GO-2025-4100
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42
Bugzilla
CVE-2024-25621 helm: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 helm: containerd local privilege escalation [fedora-42]
CVE-2024-25621 helm: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rele
Bugzilla
CVE-2024-25621 trivy: containerd local privilege escalation [fedora-43]
bugzilla·2025-12-04·CVSS 7.3
CVE-2024-25621 [HIGH] CVE-2024-25621 trivy: containerd local privilege escalation [fedora-43]
CVE-2024-25621 trivy: containerd local privilege escalation [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-868e266938 (trivy-0.69.3-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-868e266938
---
FEDORA-2026-868e266938 has been pushed to the Fedora 43
Bugzilla
CVE-2024-25621 manifest-tool: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 manifest-tool: containerd local privilege escalation [fedora-42]
CVE-2024-25621 manifest-tool: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2024-25621 golang-github-containerd: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 golang-github-containerd: containerd local privilege escalation [fedora-42]
CVE-2024-25621 golang-github-containerd: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all b
Bugzilla
CVE-2024-25621 stargz-snapshotter: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 stargz-snapshotter: containerd local privilege escalation [fedora-42]
CVE-2024-25621 stargz-snapshotter: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug rep
Bugzilla
CVE-2024-25621 kata-containers: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 kata-containers: containerd local privilege escalation [fedora-42]
CVE-2024-25621 kata-containers: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2024-25621 cri-o: containerd local privilege escalation [fedora-42]
bugzilla·2025-12-04·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 cri-o: containerd local privilege escalation [fedora-42]
CVE-2024-25621 cri-o: containerd local privilege escalation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rel
Bugzilla
CVE-2024-25621 github.com/containerd/containerd: containerd local privilege escalation
bugzilla·2025-11-06·CVSS 7.8
CVE-2024-25621 [HIGH] CVE-2024-25621 github.com/containerd/containerd: containerd local privilege escalation
CVE-2024-25621 github.com/containerd/containerd: containerd local privilege escalation
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
2025-11-06
Published