CVE-2025-64329

CVE-2025-64329

Name

CVE-2025-64329

Description

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
CONFIRM	https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Type

URI

MISC

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

CONFIRM

https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Match rules

CPE URI	Source package	Min version	Max version
	containerd	>= 0	< 1.7.29
	containerd	>= 0	< 2.0.7
	containerd	>= 2.1.0-beta.0	< 2.1.5
	containerd	>= 2.2.0-beta.0	< 2.2.0
`cpe:2.3:a:linuxfoundation:containerd::::::::`	containerd	>= None	< 1.7.29
`cpe:2.3:a:linuxfoundation:containerd::::::::`	containerd	>= 2.0.0	< 2.0.7
`cpe:2.3:a:linuxfoundation:containerd::::::::`	containerd	>= 2.1.0	< 2.1.5
`cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0::::::`	containerd	== None	== 2.2.0

CPE URI

Source package

Min version

Max version

containerd

>= 0

< 1.7.29

containerd

>= 0

< 2.0.7

containerd

>= 2.1.0-beta.0

< 2.1.5

containerd

>= 2.2.0-beta.0

< 2.2.0

cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*

containerd

>= None

< 1.7.29

cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*

containerd

>= 2.0.0

< 2.0.7

cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*

containerd

>= 2.1.0

< 2.1.5

cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:*

containerd

== None

== 2.2.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
containerd	edge-community	2.2.0-r3	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.2.0-r2	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.2.0-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.2.0-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.4-r3	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.4-r2	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.4-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.4-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.3-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.3-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.2-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.1-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.0-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.1.0-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.5-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.4-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.4-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.3-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.3-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.2-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.2-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.1-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.1-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	2.0.0-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.6.18-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.6.12-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.6.6=r0	None	possibly vulnerable
containerd	edge-community	1.6.6-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.6.2-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.6.1-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.5.9-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.5.8-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.5.7-r0	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.5.4-r0	Jake Buchholz <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.4.4-r0	Jake Buchholz <tomalok@gmail.com>	possibly vulnerable
containerd	edge-community	1.4.3-r0	None	possibly vulnerable
containerd	edge-community	1.3.3-r0	None	possibly vulnerable
containerd	edge-community	1.3.1-r0	None	possibly vulnerable
containerd	edge-community	1.3.0-r0	None	possibly vulnerable
containerd	edge-community	1.2.9-r0	None	possibly vulnerable
containerd	edge-community	1.2.6-r0	None	possibly vulnerable
containerd	3.23-community	2.2.0-r5	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.23-community	2.2.0-r4	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.23-community	2.2.0-r3	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.22-community	2.1.3-r3	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.22-community	2.1.3-r2	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.22-community	2.1.3-r1	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.22-community	2.1.1-r0	None	possibly vulnerable
containerd	3.22-community	2.0.0-r5	Jake Buchholz Göktürk <tomalok@gmail.com>	possibly vulnerable
containerd	3.22-community	1.6.18-r0	None	possibly vulnerable
containerd	3.22-community	1.6.12-r0	None	possibly vulnerable
containerd	3.22-community	1.6.6-r0	None	possibly vulnerable
containerd	3.22-community	1.6.2-r0	None	possibly vulnerable
containerd	3.22-community	1.6.1-r0	None	possibly vulnerable
containerd	3.22-community	1.5.9-r0	None	possibly vulnerable
containerd	3.22-community	1.5.8-r0	None	possibly vulnerable
containerd	3.22-community	1.5.7-r0	None	possibly vulnerable
containerd	3.22-community	1.5.4-r0	None	possibly vulnerable
containerd	3.22-community	1.4.4-r0	None	possibly vulnerable
containerd	3.22-community	1.4.3-r0	None	possibly vulnerable
containerd	3.22-community	1.3.3-r0	None	possibly vulnerable
containerd	3.22-community	1.3.1-r0	None	possibly vulnerable
containerd	3.22-community	1.3.0-r0	None	possibly vulnerable
containerd	3.22-community	1.2.9-r0	None	possibly vulnerable
containerd	3.22-community	1.2.6-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages