GHSA-RGH6-RFWX-V388 Arbitrary host CRI log file read via symlink following in CRI checkpoint restore

Impact A bug was found in containerd where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. Patches This bug has been fixed in the following containerd versions: 2.3.2...

PT-2026-51057

Name of the Vulnerable Software and Affected Versions containerd versions prior to 2.1.9 containerd versions prior to 2.2.5 containerd versions prior to 2.3.2 Description A bug in the CRI plugin allows the restoration of container.log from a checkpoint image without validating a symlinked path...

EUVD-2025-16049

Malicious code in bioql PyPI...

GO-2022-0482 containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd

containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd...

GO-2022-0344 containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd

containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd...

Medium: containerd

Issue Overview: A flaw was found in containerd CRI plugin. Containers launched through containerd CRI implementation that share the same image may receive incorrect environment variables, including values that are defined for other containers. The highest threat from this vulnerability is to data...

GHSA-5FFW-GXPP-MXPF containerd CRI plugin: Host memory exhaustion through ExecSync

Impact A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other...

GHSA-CRP2-QRR5-8PQ7 containerd CRI plugin: Insecure handling of image volumes

Impact A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup...

Medium: containerd

Issue Overview: A bug was discovered in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file or widen access...

[SECURITY] Fedora 34 Update: golang-github-containerd-cri-1.19.0-3.20210307gitaa2d5a9.fc34

Cri is a native plugin of containerd 1.1 and above. It is built into contai nerd and enabled by default...

CVE-2021-21334

A flaw was found in containerd CRI plugin. Containers launched through containerd's CRI implementation that share the same image may receive incorrect environment variables, including values that are defined for other containers. The highest threat from this vulnerability is to data confidentiali...