Lucene search
K
LinuxfoundationContainerd

22 matches found

CVE
CVE
added 2022/06/06 12:0 a.m.839 views

CVE-2022-31030

CVE-2022-31030 affects containerd’s CRI ExecSync path, where containered processes can cause unbounded memory growth in the containerd daemon, risking host memory exhaustion and denial of service. The connected documents confirm the root cause is within containerd’s CRI implementation and state f...

5.5CVSS5.9AI score0.00377EPSS
CVE
CVE
added 2023/02/16 2:9 p.m.668 views

CVE-2023-25173

CVE-2023-25173 affects containerd. A bug allowed improper setup of supplementary groups inside a container, enabling bypass of primary group restrictions and potential access to sensitive data or code execution when an attacker has container access. The issue is fixed in containerd 1.6.18 and 1.5...

7.8CVSS7AI score0.00542EPSS
CVE
CVE
added 2020/12/01 2:30 a.m.564 views

CVE-2020-15257

The CVE describes a privilege-escalation issue in containerd where access controls on the shim API socket allowed a container in the same network namespace to run new processes with elevated privileges. Affected releases are containerd before 1.3.9 and before 1.4.3; the vulnerability stems from e...

5.2CVSS5.4AI score0.03236EPSS
In wild
CVE
CVE
added 2021/07/19 12:0 a.m.537 views

CVE-2021-32760

CVE-2021-32760 affects containerd prior to 1.4.8 and 1.5.4. A crafted container image could cause Unix file permission changes on host files when pulling/extracting, potentially denying access, widening permissions, or setting bits like setuid/setgid/sticky. The flaw does not directly unlock read...

6.8CVSS6AI score0.01608EPSS
Web
CVE
CVE
added 2022/03/03 12:0 a.m.534 views

CVE-2022-23648

CVE-2022-23648 affects containerd’s CRI implementation on Linux where specially-crafted image configurations could allow reading read-only copies of arbitrary host files and directories, potentially bypassing policy enforcement. The issue was fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users s...

7.5CVSS7.8AI score0.27392EPSS
CVE
CVE
added 2023/02/16 2:9 p.m.523 views

CVE-2023-25153

Summary: CVE-2023-25153 affects containerd and, when importing OCI images, could allow a denial of service due to an unlimited bytes-read limit on certain files. The issue exists in versions prior to 1.6.18 and 1.5.18. Root cause: missing input size limit during image import leads to potential Do...

6.2CVSS6.5AI score0.00363EPSS
CVE
CVE
added 2021/10/04 12:0 a.m.515 views

CVE-2021-41103

CVE-2021-41103 affects containerd and stems from insufficiently restricted permissions on container root directories and some plugins, enabling unprivileged host users to traverse directories, read/modify files, and potentially execute programs (including those with extended permission bits). The...

7.8CVSS6.8AI score0.00482EPSS
CVE
CVE
added 2022/12/07 10:51 p.m.512 views

CVE-2022-23471

CVE-2022-23471 affects containerd’s CRI implementation where a terminal resize handling goroutine in the CRI stream server can leak memory if a child fails to launch. Affected component: containerd (CRIs/stream server). Root cause: goroutine waiting to send on a channel with no receiver, enabling...

6.5CVSS6.9AI score0.01022EPSS
CVE
CVE
added 2021/03/10 9:30 p.m.494 views

CVE-2021-21334

CVE-2021-21334 affects containerd’s CRI plugin: when multiple containers/pods are launched from the same image, containers may receive incorrect environment variables shared across them, potentially exposing sensitive data. The issue is fixed in containerd versions 1.3.10 and 1.4.4; affected envi...

6.3CVSS6.5AI score0.02044EPSS
CVE
CVE
added 2025/03/17 9:32 p.m.289 views

CVE-2024-40635

CVE-2024-40635 affects containerd. A bug allows containers launched with a UID:GID that exceeds the 32‑bit signed integer max to overflow, causing the container to run as root (UID 0). Fixed in containerd releases: 1.6.38, 1.7.27, and 2.0.4. Workarounds include using only trusted images and restr...

7.8CVSS4.9AI score0.00275EPSS
CVE
CVE
added 2020/10/16 4:45 p.m.280 views

CVE-2020-15157

The CVE-2020-15157 issue affects containerd (pre-1.2.14) where the default resolver would leak credentials when a container image manifest points to a foreign layer. If a manifest directs a layer URL to a attacker‑controlled web server and the image is pulled, credentials used for the registry co...

6.1CVSS6.8AI score0.02236EPSS
CVE
CVE
added 2022/01/05 6:55 p.m.211 views

CVE-2021-43816

CVE-2021-43816 affects containerd (CRI) on SELinux-enabled distros (EL8/CentOS/RHEL, Fedora, SUSE MicroOS). An unprivileged pod could bind-mount a privileged host file via hostPath at /etc/hosts, /etc/hostname, or /etc/resolv.conf, relabeling that path to the container process label and potential...

9.1CVSS8.4AI score0.0169EPSS
CVE
CVE
added 2025/05/21 5:26 p.m.211 views

CVE-2025-47291

CVE-2025-47291 concerns containerd’s CRI: versions 2.0.1–2.0.4 do not place usernamespaced containers under the Kubernetes cgroup hierarchy, which may cause Kubernetes limits to not be honored and could lead to node denial of service. The issue is fixed in containerd 2.0.5+ and 2.1.0+. Remediatio...

7.5CVSS6.4AI score0.00242EPSS
CVE
CVE
added 2026/07/01 5:40 p.m.207 views

CVE-2026-46680

CVE-2026-46680 concerns containerd, the container runtime. A flaw in how numeric User directives are parsed (not a 32-bit integer) can cause such values to be treated as usernames, enabling runAsNonRoot evasion. If a crafted image supplies an /etc/passwd mapping that maps this large numeric strin...

7.8CVSS5.7AI score0.00221EPSS
CVE
CVE
added 2025/05/20 6:25 p.m.202 views

CVE-2025-47290

CVE-2025-47290 affects containerd v2.1.0, where a TOCTOU flaw during image unpack could allow an attacker to arbitrarily modify the host filesystem. The issue is limited to 2.1.0; 2.1.1 fixes it. Affected guidance: upgrade to containerd 2.1.1+; as a workaround, use only trusted images and restric...

9.4CVSS6.4AI score0.00435EPSS
CVE
CVE
added 2026/07/01 5:48 p.m.90 views

CVE-2026-47262

CVE-2026-47262 affects containerd where a maliciously crafted image can trigger a Denial of Service by exhausting memory during container creation, causing an Out-Of-Memory (OOM) kill of the containerd process and making the runtime API unavailable (impacting clients like Docker Engine and Kubern...

5.5CVSS5.7AI score0.00317EPSS
CVE
CVE
added 2026/07/01 12:11 a.m.89 views

CVE-2026-53488

CVE-2026-53488 affects containerd’s CRI plugin: image config LABELs are propagated to containers without validation, enabling potential host-command execution via a plugin that consumes labels. Concrete details across connected docs confirm this vulnerability in containerd versions prior to 1.7.3...

9.4CVSS5.9AI score0.00203EPSS
CVE
CVE
added 2025/11/06 6:36 p.m.55 views

CVE-2024-25621

CVE-2024-25621 affects containerd: versions 0.1.0–1.7.28, 2.0.0-beta.0–2.0.6, 2.1.0-beta.0–2.1.4, and 2.2.0-beta.0–2.2.0-rc.1 create directories with overly broad permissions (e.g., /var/lib/containerd, /run/containerd/io.containerd.grpc.v1.cri, /run/containerd/io.containerd.sandbox.controller.v1...

7.8CVSS6.4AI score0.00159EPSS
CVE
CVE
added 2026/07/01 5:50 p.m.48 views

CVE-2026-50195

Containerd CVE-2026-50195 affects CRI checkpoint import: unvalidated image references in a checkpoint config allow an attacker with pod-creation permissions to trigger pulling a malicious image and assign it a local tag, poisoning the node’s local image cache. Subsequent pods on the same node usi...

9.9CVSS6.1AI score0.00354EPSS
CVE
CVE
added 2026/07/01 6:10 p.m.48 views

CVE-2026-53489

CVE-2026-53489 affects containerd CRI: when checkpoint restore occurs, the CRI plugin may read a host file by following a symlink for container.log. Vulnerable versions are prior to 2.3.2, 2.2.5 and 2.1.9. Impact described as arbitrary host file read via kubectl logs, with LOCAL attack potential ...

8.2CVSS5.9AI score0.00208EPSS
CVE
CVE
added 2026/07/01 5:59 p.m.43 views

CVE-2026-53492

Summary: CVE-2026-53492 affects containerd’s CRI checkpoint restoration, where CDI annotations in untrusted checkpoint metadata are trusted, allowing injection of CDI edits (device nodes/host mounts) into restored containers if CDI is enabled and a matching host CDI spec exists. The issue affects...

9.6CVSS5.9AI score0.00412EPSS
CVE
CVE
added 2025/11/07 4:15 a.m.40 views

CVE-2025-64329

CVE-2025-64329 affects containerd across multiple streams. The CVE stems from a bug in the CRI Attach implementation that can exhaust host memory due to goroutine leaks in vulnerable releases (versions: 1.7.28 and earlier; 2.0.0-beta.0–2.0.6; 2.1.0-beta.0–2.1.4; 2.2.0-beta.0–2.2.0-rc.1). Affected...

6.9CVSS6.3AI score0.00162EPSS