CVE-2025-64329

07.11.2025, 05:16

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Debian Releases

Debian Product

Codename

containerd

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	1.6.20~ds1-1+deb12u2 fixed
trixie	vulnerable
trixie (security)	1.7.24~ds1-6+deb13u1 fixed
forky	1.7.24~ds1-10 fixed
sid	1.7.24~ds1-10 fixed

Ubuntu Releases

Ubuntu Product

Codename

containerd

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

containerd-app

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2