Linuxfoundation Containerd vulnerabilities

CVE-2025-64329 [MEDIUM] CWE-401 CVE-2025-64329: containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0. containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To wo

CVE-2024-25621 [HIGH] CWE-279 CVE-2024-25621: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.con

CVE-2025-47291 [MEDIUM] CWE-266 CVE-2025-47291: containerd is an open-source container runtime. A bug was found in the containerd's CRI implementati containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubern

CVE-2025-47290 [HIGH] CWE-367 CVE-2025-47290: containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found i containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This b

CVE-2024-40635 [HIGH] CWE-190 CVE-2024-40635: containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6. containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for en

CVE-2023-25173 [HIGH] CWE-863 CVE-2023-25173: containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6. containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary g

CVE-2023-25153 [MEDIUM] CWE-770 CVE-2023-25153: containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users s

CVE-2022-23471 [MEDIUM] CWE-400 CVE-2022-23471: containerd is an open source container runtime. A bug was found in containerd's CRI implementation w containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be st

CVE-2022-31030 [MEDIUM] CWE-400 CVE-2022-31030: containerd is an open source container runtime. A bug was found in the containerd's CRI implementati containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimat

CVE-2022-23648 [HIGH] CWE-200 CVE-2022-23648: containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in co containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the

CVE-2021-43816 [CRITICAL] CWE-281 CVE-2021-43816: containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete r

CVE-2021-41103 [HIGH] CWE-22 CVE-2021-41103: containerd is an open source container runtime with an emphasis on simplicity, robustness and portab containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included ex

CVE-2021-32760 [MEDIUM] CWE-668 CVE-2021-32760: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 w containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to othe

CVE-2021-21334 [MEDIUM] CWE-668 CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defin

CVE-2020-15257 [MEDIUM] CWE-669 CVE-2020-15257: containerd is an industry-standard container runtime and is available as a daemon for Linux and Wind containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwi

CVE-2020-15157 [MEDIUM] CWE-522 CVE-2020-15157: In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential l In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follo