CVE-2025-47290Time-of-check Time-of-use (TOCTOU) Race Condition in Containerd Containerd V2

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition7 documents6 sources
Severity
7.6HIGHNVD
EPSS
0.1%
top 80.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Containerd Containerd V2ContainerdLinuxfoundation Containerd
Timeline
PublishedMay 20
Latest updateMay 23

Description

containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images a

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

CVEListV5containerd/containerd= 2.1.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Allows host filesystem access on pull in github.com/containerd/containerd2025-05-23
OSV
containerd allows host filesystem access on pull2025-05-21
GHSA
containerd allows host filesystem access on pull2025-05-21
CVEList
Containerd vulnerable to host filesystem access during image unpack2025-05-20

📋Vendor Advisories

2
Red Hat
containerd: Containerd vulnerable to host filesystem access during image unpack2025-05-20
Debian
CVE-2025-47290: containerd - containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulne...2025
CVE-2025-47290 — Containerd Containerd V2 vulnerability | cvebase