CVE-2025-64329

MEDIUM

Linuxfoundation Containerd < 1.7.29 - Memory Leak

Title source: rule

Description

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

References (2)

[Patch, Vendor Advisory] https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

[Patch] https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 0.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (4)

containerd/containerd 0 - 1.7.29Go

containerd/containerd 0 - 2.0.7Go

linuxfoundation/containerd 2.2.0 beta0 (5 CPE variants)

linuxfoundation/containerd < 1.7.29

Published Nov 07, 2025

Tracked Since Feb 18, 2026