CVE-2025-64329

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df	Patch
https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:containerd::::::::
	cpe:2.3:a:linuxfoundation:containerd::::::::
	cpe:2.3:a:linuxfoundation:containerd::::::::
	cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0::::::
	cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1::::::
	cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta2::::::
	cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc0::::::
	cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc1::::::

History

No history.

Information

Published : 2025-11-07 05:16

Updated : 2025-12-31 18:34

NVD link : CVE-2025-64329

Mitre link : CVE-2025-64329

CVE.ORG link : CVE-2025-64329

JSON object : View

Products Affected

linuxfoundation

containerd

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2025-64329", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-07T05:16:08.017", "references": [{"url": "https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources."}, {"lang": "es", "value": "containerd es un tiempo de ejecuci\u00f3n de contenedores de c\u00f3digo abierto. Las versiones 1.7.28 e inferiores, 2.0.0-beta.0 hasta 2.0.6, 2.1.0-beta.0 hasta 2.1.4, y 2.2.0-beta.0 hasta 2.2.0-rc.1 contienen un error en la implementaci\u00f3n de CRI Attach donde un usuario puede agotar la memoria en el host debido a fugas de goroutines. Este problema est\u00e1 solucionado en las versiones 1.7.29, 2.0.7, 2.1.5 y 2.2.0. Como soluci\u00f3n alternativa a esta vulnerabilidad, los usuarios pueden configurar un controlador de admisi\u00f3n para controlar los accesos a los recursos pods/attach."}], "lastModified": "2025-12-31T18:34:48.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD786582-F4AE-41DD-B61F-BD8AF4FC1A04", "versionEndExcluding": "1.7.29"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07087EDC-9E6A-45D1-B6D2-E7F4016CD46E", "versionEndExcluding": "2.0.7", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E760B42-E25C-4780-85AE-D003D6425700", "versionEndExcluding": "2.1.5", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEF71FE5-2286-4D94-82DD-7509CE85F1F6"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3290FD7B-0A16-4968-9800-78B947EF213D"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4352A29-4DFC-4EBE-BE0E-97DEB76E5A30"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57685264-6950-4CB9-ACBE-6944EB3B2C1C"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D640701-1D0B-41B7-83B0-79592902E6AC"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}