CVE-2025-64329

EUVD-2025-38219
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
linuxfoundationcontainerd
𝑥
< 1.7.29
linuxfoundationcontainerd
2.0.0 ≤
𝑥
< 2.0.7
linuxfoundationcontainerd
2.1.0 ≤
𝑥
< 2.1.5
linuxfoundationcontainerd
2.2.0:beta0
linuxfoundationcontainerd
2.2.0:beta1
linuxfoundationcontainerd
2.2.0:beta2
linuxfoundationcontainerd
2.2.0:rc0
linuxfoundationcontainerd
2.2.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
containerd
bookworm
1.6.20~ds1-1+deb12u3
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1.4.13~ds1-1~deb11u6
fixed
forky
2.1.6+ds1-1
fixed
sid
2.1.6+ds1-1
fixed
trixie
1.7.24~ds1-6+deb13u1
fixed
trixie (security)
1.7.24~ds1-6+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
containerd
bionic
Fixed 1.6.12-0ubuntu1~18.04.1+esm3
released
focal
Fixed 1.6.12-0ubuntu1~20.04.8+esm1
released
jammy
Fixed 1.6.12-0ubuntu1~22.04.10
released
noble
Fixed 1.6.24~ds1-1ubuntu1.3+esm2
released
plucky
ignored
questing
Fixed 1.7.24~ds1-8ubuntu1.1
released
resolute
not-affected
xenial
Fixed 1.2.6-0ubuntu1~16.04.6+esm6
released
containerd-app
focal
Fixed 1.7.24-0ubuntu1~20.04.2+esm1
released
jammy
Fixed 1.7.28-0ubuntu1~22.04.1+esm1
released
noble
Fixed 1.7.28-0ubuntu1~24.04.2
released
plucky
ignored
questing
Fixed 2.1.3-0ubuntu3.1
released
resolute
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
containerd
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP2
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP3
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
containerd-ctr
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP7
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP2
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP3
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP7
1.7.29-150000.128.1
fixed
containerd-devel
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP7
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP7
1.7.29-150000.128.1
fixed
Common Weakness Enumeration
References
https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2