CVE-2025-64329 — Missing Release of Memory after Effective Lifetime in Containerd
Severity
6.9MEDIUMNVD
OSV7.8
EPSS
0.0%
top 99.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 7
Latest updateJan 29
Description
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
CVSS vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Packages6 packages
Patches
🔴Vulnerability Details
6OSV▶
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd↗2025-11-17