CVE-2025-64329
published 2025-11-07CVE-2025-64329: containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through…
PriorityP422medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.15%
4.7th percentile
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.7.29 | 1.7.29 |
| containerd | containerd | < 2.0.7 | 2.0.7 |
| containerd | containerd | — | — |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u6 | 1.4.13~ds1-1~deb11u6 |
| containerd | containerd | >= 0 < 1.7.24~ds1-6+deb13u1 | 1.7.24~ds1-6+deb13u1 |
| containerd | containerd | >= 0 < 1.7.24~ds1-10 | 1.7.24~ds1-10 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~22.04.10 | 1.6.12-0ubuntu1~22.04.10 |
| containerd | containerd | >= 0 < 1.7.24~ds1-8ubuntu1.1 | 1.7.24~ds1-8ubuntu1.1 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm6 | 1.2.6-0ubuntu1~16.04.6+esm6 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~18.04.1+esm3 | 1.6.12-0ubuntu1~18.04.1+esm3 |
| containerd | containerd | >= 0 < 1.6.12-0ubuntu1~20.04.8+esm1 | 1.6.12-0ubuntu1~20.04.8+esm1 |
| containerd | containerd | >= 0 < 1.6.24~ds1-1ubuntu1.3+esm2 | 1.6.24~ds1-1ubuntu1.3+esm2 |
| debian | containerd | < containerd 1.4.13~ds1-1~deb11u6 (bullseye) | containerd 1.4.13~ds1-1~deb11u6 (bullseye) |
| github.com | containerd_containerd | >= 0 < 1.7.29 | 1.7.29 |
| github.com | containerd_containerd_v2 | >= 0 < 2.0.7 | 2.0.7 |
| github.com | containerd_containerd_v2 | >= 2.1.0-beta.0 < 2.1.5 | 2.1.5 |
| github.com | containerd_containerd_v2 | >= 2.2.0-beta.0 < 2.2.0 | 2.2.0 |
| linuxfoundation | containerd | < 1.7.29 | 1.7.29 |
| linuxfoundation | containerd | — | — |
| linuxfoundation | containerd | >= 2.0.0 < 2.0.7 | 2.0.7 |
| linuxfoundation | containerd | >= 2.1.0 < 2.1.5 | 2.1.5 |
| msrc | azl3_containerd2_2.0.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_containerd2_2.0.0-16_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-containerd-cc_1.7.7-9_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv7.8HIGH
vendor_ubuntu7.3HIGH
vendor_debian6.9MEDIUM
vendor_msrc6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
containerd, containerd-app vulnerabilities
osv·2026-01-29·CVSS 7.8
CVE-2024-25621 [HIGH] containerd, containerd-app vulnerabilities
containerd, containerd-app vulnerabilities
David Leadbeater discovered that containerd incorrectly set certain
directory path permissions. An attacker could possibly use this issue to
achieve unauthorised access to the files. (CVE-2024-25621)
It was discovered that containerd did not properly handle the execution
of the goroutine of container attach. An attacker could possibly use this
issue to cause a denial of service. (CVE-2025-64329)
OSV
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
osv·2025-11-17
CVE-2025-64329 containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
OSV
CVE-2025-64329: containerd is an open-source container runtime
osv·2025-11-07·CVSS 6.9
CVE-2025-64329 [MEDIUM] CVE-2025-64329: containerd is an open-source container runtime
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
OSV
containerd CRI server: Host memory exhaustion through Attach goroutine leak
osv·2025-11-06·CVSS 6.9
CVE-2025-64329 [MEDIUM] containerd CRI server: Host memory exhaustion through Attach goroutine leak
containerd CRI server: Host memory exhaustion through Attach goroutine leak
### Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd.
### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
### Workarounds
Set up an admission controller to control accesses to `pods/attach` resources.
e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/).
### Credits
Th
GHSA
containerd CRI server: Host memory exhaustion through Attach goroutine leak
ghsa·2025-11-06·CVSS 6.9
CVE-2025-64329 [MEDIUM] CWE-401 containerd CRI server: Host memory exhaustion through Attach goroutine leak
containerd CRI server: Host memory exhaustion through Attach goroutine leak
### Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd.
### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
### Workarounds
Set up an admission controller to control accesses to `pods/attach` resources.
e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/).
### Credits
Th
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-01-29·CVSS 7.3
CVE-2024-25621 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
David Leadbeater discovered that containerd incorrectly set certain
directory path permissions. An attacker could possibly use this issue to
achieve unauthorised access to the files. (CVE-2024-25621)
It was discovered that containerd did not properly handle the execution
of the goroutine of container attach. An attacker could possibly use this
issue to cause a denial of service. (CVE-2025-64329)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
containerd CRI server: Host memory exhaustion through Attach goroutine leak
vendor_msrc·2025-11-11·CVSS 6.9
CVE-2025-64329 [MEDIUM] CWE-401 containerd CRI server: Host memory exhaustion through Attach goroutine leak
containerd CRI server: Host memory exhaustion through Attach goroutine leak
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
github.com/containerd/containerd: containerd: Memory exhaustion via CRI Attach implementation goroutine leaks
vendor_redhat·2025-11-07·CVSS 6.9
CVE-2025-64329 [MEDIUM] CWE-771 github.com/containerd/containerd: containerd: Memory exhaustion via CRI Attach implementation goroutine leaks
github.com/containerd/containerd: containerd: Memory exhaustion via CRI Attach implementation goroutine leaks
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
A flaw was found in containerd. This vulnerability allows a user to exhaust memory on the host due to goroutine leaks via a bug in the CRI (Container Runtime Interface) Attach implementation.
Statement: The highest threa
Debian
CVE-2025-64329: containerd - containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0...
vendor_debian·2025·CVSS 6.9
CVE-2025-64329 [MEDIUM] CVE-2025-64329: containerd - containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0...
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.4.13~ds1-1~deb11u6)
forky: resolved (fixed in 1.7.24~ds1-10)
sid: resolved (fixed in 1.7.24~ds1-10)
trixie: resolved (fixed in 1.7.24~ds1-6+deb13u1)
No detection rules found.
No public exploits indexed.
2025-11-07
Published