CVE-2025-64329
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | containerd | to 1.7.29 (exc) |
| linuxfoundation | containerd | From 2.0.0 (inc) to 2.0.7 (exc) |
| linuxfoundation | containerd | From 2.1.0 (inc) to 2.1.5 (exc) |
| linuxfoundation | containerd | 2.2.0 |
| linuxfoundation | containerd | 2.2.0 |
| linuxfoundation | containerd | 2.2.0 |
| linuxfoundation | containerd | 2.2.0 |
| linuxfoundation | containerd | 2.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a bug in the containerd container runtime's CRI Attach implementation that causes a memory leak on the host system. Specifically, it involves goroutine leaks that allow a user to exhaust the host's memory, potentially leading to denial of service or degraded performance. The issue affects certain versions of containerd and is fixed in later versions.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing a user to exhaust the host system's memory due to goroutine leaks in containerd. This can lead to system instability, degraded performance, or denial of service conditions on the host running containerd.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users can set up an admission controller to control accesses to pods/attach resources. Additionally, upgrading containerd to a fixed version such as 1.7.29, 2.0.7, 2.1.5, or 2.2.0 is recommended.