CVE-2025-64329

Nov. 7, 2025, 5:16 a.m.

6.9
Medium

Description

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Product(s) Impacted

Vendor Product Versions
Containerd
  • Containerd
  • <1.7.29, 2.0.0-beta.0-2.0.6, 2.1.0-beta.0-2.1.4, 2.2.0-beta.0-2.2.0-rc.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-401
Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a containerd containerd <1.7.29 / / / / / / /
a containerd containerd 2.0.0-beta.0-2.0.6 / / / / / / /
a containerd containerd 2.1.0-beta.0-2.1.4 / / / / / / /
a containerd containerd 2.2.0-beta.0-2.2.0-rc.1 / / / / / / /

References

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Tags

security-advisories@github.com
CWE-401
2025-11-07
CVE-2025-64329

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Nov. 7, 2025, 5:16 a.m.
Last Modified: Nov. 7, 2025, 5:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.