CVE-2025-64329
ADVISORY - githubSummary
Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.
Patches
This bug has been fixed in the following containerd versions:
- 2.2.0
- 2.1.5
- 2.0.7
- 1.7.29
Users should update to these versions to resolve the issue.
Workarounds
Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.
Credits
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at security@containerd.io
To report a security issue in containerd:
Common Weakness Enumeration (CWE)
Missing Release of Memory after Effective Lifetime
Missing Release of Memory after Effective Lifetime
Missing Reference to Active Allocated Resource
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in