CVE-2021-32760

MEDIUM

containerd <1.4.8-1.5.4 - Privilege Escalation

Title source: llm

Description

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202401-31

Release Notes, Third Party Advisory

https://github.com/containerd/containerd/releases/tag/v1.4.8

Release Notes, Third Party Advisory

https://github.com/containerd/containerd/releases/tag/v1.5.4

Third Party Advisory

https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w

Scores

CVSS v3 5.0

EPSS 0.0007

EPSS Percentile 21.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732 CWE-668

Status published

Products (3)

containerd/containerd 0 - 1.4.8Go

fedoraproject/fedora 34

linuxfoundation/containerd < 1.4.8

Published Jul 19, 2021

Tracked Since Feb 18, 2026