### Impact A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. ### Patches This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. ### For more information If you have any questions or comments about this advisory: * Open an issue in containerd * Email us at security@containerd.io To report a security issue in containerd: * Report a new vulnerability * Email us at security@containerd.io
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in