containerd CRI server: Host memory exhaustion through Attach goroutine leak

...

EUVD-2025-38219

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is...

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime via the Attach functionality. An attacker can cause excessive memory consumption on the host by repeatedly initiating CRI Attach requests, leading to resource exhaustion due to goroutin...

The vulnerability of the containerd execution environment, related to uncontrolled resource consumption, allows a attacker to execute a type of attack called a “Denial-of-Service Attack” (DoS).

The vulnerability of containerd’s execution environment is related to an error on the CRI containerd server during the processing of terminal size change events. Exploiting this vulnerability could allow a remote attacker to execute a DoS attack...