cbcvebase.
CVE-2025-64329
published 2025-11-07

CVE-2025-64329: containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through…

PriorityP422medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.15%
4.7th percentile
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
containerdcontainerd< 1.7.291.7.29
containerdcontainerd< 2.0.72.0.7
containerdcontainerd
containerdcontainerd
containerdcontainerd>= 0 < 1.4.13~ds1-1~deb11u61.4.13~ds1-1~deb11u6
containerdcontainerd>= 0 < 1.7.24~ds1-6+deb13u11.7.24~ds1-6+deb13u1
containerdcontainerd>= 0 < 1.7.24~ds1-101.7.24~ds1-10
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~22.04.101.6.12-0ubuntu1~22.04.10
containerdcontainerd>= 0 < 1.7.24~ds1-8ubuntu1.11.7.24~ds1-8ubuntu1.1
containerdcontainerd>= 0 < 1.2.6-0ubuntu1~16.04.6+esm61.2.6-0ubuntu1~16.04.6+esm6
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~18.04.1+esm31.6.12-0ubuntu1~18.04.1+esm3
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~20.04.8+esm11.6.12-0ubuntu1~20.04.8+esm1
containerdcontainerd>= 0 < 1.6.24~ds1-1ubuntu1.3+esm21.6.24~ds1-1ubuntu1.3+esm2
debiancontainerd< containerd 1.4.13~ds1-1~deb11u6 (bullseye)containerd 1.4.13~ds1-1~deb11u6 (bullseye)
github.comcontainerd_containerd>= 0 < 1.7.291.7.29
github.comcontainerd_containerd_v2>= 0 < 2.0.72.0.7
github.comcontainerd_containerd_v2>= 2.1.0-beta.0 < 2.1.52.1.5
github.comcontainerd_containerd_v2>= 2.2.0-beta.0 < 2.2.02.2.0
linuxfoundationcontainerd< 1.7.291.7.29
linuxfoundationcontainerd
linuxfoundationcontainerd>= 2.0.0 < 2.0.72.0.7
linuxfoundationcontainerd>= 2.1.0 < 2.1.52.1.5
msrcazl3_containerd2_2.0.0-14_on_azure_linux_3.0
msrcazl3_containerd2_2.0.0-16_on_azure_linux_3.0
msrcazl3_moby-containerd-cc_1.7.7-9_on_azure_linux_3.0

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv7.8HIGH
vendor_ubuntu7.3HIGH
vendor_debian6.9MEDIUM
vendor_msrc6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.