Описание
containerd CRI server: Host memory exhaustion through Attach goroutine leak
Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.
Patches
This bug has been fixed in the following containerd versions:
- 2.2.0
- 2.1.5
- 2.0.7
- 1.7.29
Users should update to these versions to resolve the issue.
Workarounds
Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.
Credits
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at security@containerd.io
To report a security issue in containerd:
Пакеты
github.com/containerd/containerd
< 1.7.29
1.7.29
github.com/containerd/containerd/v2
< 2.0.7
2.0.7
github.com/containerd/containerd/v2
>= 2.1.0-beta.0, < 2.1.5
2.1.5
github.com/containerd/containerd/v2
>= 2.2.0-beta.0, < 2.2.0
2.2.0
Связанные уязвимости
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
containerd CRI server: Host memory exhaustion through Attach goroutine leak
containerd is an open-source container runtime. Versions 1.7.28 and be ...
Уязвимость среды выполнения контейнеров containerd, связанная с отсутствием освобождения памяти после эффективного срока службы, позволяющая нарушителю вызвать отказ в обслуживании