CVE-2025-64329

EUVD-2025-38219

07.11.2025, 05:16

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
linuxfoundation	containerd	𝑥 < 1.7.29
linuxfoundation	containerd	2.0.0 ≤ 𝑥 < 2.0.7
linuxfoundation	containerd	2.1.0 ≤ 𝑥 < 2.1.5
linuxfoundation	containerd	2.2.0:beta0
linuxfoundation	containerd	2.2.0:beta1
linuxfoundation	containerd	2.2.0:beta2
linuxfoundation	containerd	2.2.0:rc0
linuxfoundation	containerd	2.2.0:rc1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

containerd

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	1.4.13~ds1-1~deb11u6 fixed
forky	1.7.24~ds1-10 fixed
sid	1.7.24~ds1-10 fixed
trixie	1.7.24~ds1-6+deb13u1 fixed
trixie (security)	1.7.24~ds1-6+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

containerd

bionic	Fixed 1.6.12-0ubuntu1~18.04.1+esm3 released
focal	Fixed 1.6.12-0ubuntu1~20.04.8+esm1 released
jammy	Fixed 1.6.12-0ubuntu1~22.04.10 released
noble	Fixed 1.6.24~ds1-1ubuntu1.3+esm2 released
plucky	ignored
questing	Fixed 1.7.24~ds1-8ubuntu1.1 released
xenial	Fixed 1.2.6-0ubuntu1~16.04.6+esm6 released

containerd-app

focal	Fixed 1.7.24-0ubuntu1~20.04.2+esm1 released
jammy	Fixed 1.7.28-0ubuntu1~22.04.1+esm1 released
noble	Fixed 1.7.28-0ubuntu1~24.04.2 released
plucky	ignored
questing	Fixed 2.1.3-0ubuntu3.1 released

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2