CVE-2025-64329

Published: Nov 7, 2025Modified: Dec 31, 2025

6.9

Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Affected (8)

Products: Linuxfoundation: Containerd

Linuxfoundation

1 product

Containerd

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Linuxfoundation Containerd	Before 1.7.29
Linuxfoundation Containerd	From 2.0.0 to 2.0.7
Linuxfoundation Containerd	From 2.1.0 to 2.1.5
Linuxfoundation Containerd	Version 2.2.0 beta0
Linuxfoundation Containerd	Version 2.2.0 beta1
Linuxfoundation Containerd	Version 2.2.0 beta2
Linuxfoundation Containerd	Version 2.2.0 rc0
Linuxfoundation Containerd	Version 2.2.0 rc1

Related CWEs

CWE-401

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (2)

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

Source: security-advisories@github.com

Patch

https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.