6.9

CVE-2025-64329

containerd CRI server: Host memory exhaustion through Attach goroutine leak

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxfoundationContainerd Version < 1.7.29
LinuxfoundationContainerd Version >= 2.0.0 < 2.0.7
LinuxfoundationContainerd Version >= 2.1.0 < 2.1.5
LinuxfoundationContainerd Version2.2.0 Updatebeta0
LinuxfoundationContainerd Version2.2.0 Updatebeta1
LinuxfoundationContainerd Version2.2.0 Updatebeta2
LinuxfoundationContainerd Version2.2.0 Updaterc0
LinuxfoundationContainerd Version2.2.0 Updaterc1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.057
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 6.9 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
Patch
Vendor Advisory
https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
Patch