CVE-2025-47291Incorrect Privilege Assignment in Containerd Containerd V2

CWE-266Incorrect Privilege Assignment9 documents7 sources
Severity
4.6MEDIUMNVD
EPSS
0.3%
top 49.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Containerd Containerd V2Linuxfoundation ContainerdContainerd
Timeline
PublishedMay 21
Latest updateMay 23

Description

containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disa

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDlinuxfoundation/containerd2.0.12.0.5
CVEListV5containerd/containerd>= 2.0.1, < 2.0.5

🔴Vulnerability Details

5
OSV
Incorrect cgroup assignment for containers running in usernamespaced Kubernetes pods in github.com/containerd/containerd2025-05-23
OSV
containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.2025-05-21
GHSA
containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.2025-05-21
OSV
CVE-2025-47291: containerd is an open-source container runtime2025-05-21
CVEList
containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.2025-05-21

📋Vendor Advisories

3
Red Hat
containerd: containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.2025-05-21
Microsoft
containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.2025-05-13
Debian
CVE-2025-47291: containerd - containerd is an open-source container runtime. A bug was found in the container...2025
CVE-2025-47291 — Incorrect Privilege Assignment | cvebase