Github.Com Containerd Containerd V2 vulnerabilities

5 known vulnerabilities affecting github.com/containerd_containerd_v2.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2024-25621HIGH≥ 0, < 2.0.7≥ 2.1.0-beta.0, < 2.1.5+1 more2025-11-06

CVE-2024-25621 [HIGH] CWE-279 containerd affected by a local privilege escalation via wide permissions on CRI directory containerd affected by a local privilege escalation via wide permissions on CRI directory ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store

CVE-2025-64329MEDIUMCVSS 6.9≥ 0, < 2.0.7≥ 2.1.0-beta.0, < 2.1.5+1 more2025-11-06

CVE-2025-64329 [MEDIUM] CWE-401 containerd CRI server: Host memory exhaustion through Attach goroutine leak containerd CRI server: Host memory exhaustion through Attach goroutine leak ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd.

CVE-2025-47290HIGHCVSS 7.6≥ 2.1.0, < 2.1.12025-05-21

CVE-2025-47290 [HIGH] CWE-367 containerd allows host filesystem access on pull containerd allows host filesystem access on pull ### Impact A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. ### Patches This bug has been fixed in the following containerd versions: * 2.1.1 The only affected version of containerd is 2.1.0. Other ver

CVE-2025-47291MEDIUM≥ 2.0.1, < 2.0.52025-05-21

CVE-2025-47291 [MEDIUM] CWE-266 containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. # Impact A bug was found in the containerd's CRI implementation where containerd doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a de

CVE-2024-40635HIGHCVSS 7.8≥ 0, < 2.0.42025-03-17

CVE-2024-40635 [HIGH] CWE-190 containerd has an integer overflow in User ID handling containerd has an integer overflow in User ID handling ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has