CVE-2024-25621
HIGHcontainerd <1.7.28, <2.0.6, <2.1.4, <2.2.0-rc.1 - Privilege Escalation
Title source: llmDescription
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
Patch x_refsource_misc
https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
Product x_refsource_misc
https://github.com/containerd/containerd/blob/main/docs/rootless.md
Scores
CVSS v3
7.3
EPSS
0.0000
EPSS Percentile
0.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-279
Status
published
Products (4)
containerd/containerd
0 - 1.7.29Go
containerd/containerd
0 - 2.0.7Go
linuxfoundation/containerd
2.2.0 beta0 (5 CPE variants)
linuxfoundation/containerd
< 1.7.29
Published
Nov 06, 2025
Tracked Since
Feb 18, 2026