{"schema_version":"1.7.2","id":"OESA-2025-2755","modified":"2025-11-28T12:51:23Z","published":"2025-11-28T12:51:23Z","upstream":["CVE-2024-25621","CVE-2025-64329"],"summary":"containerd security update","details":"containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\n\nAn overly broad default permission vulnerability was found in containerd.\n\n- `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700\n  - Allowed local users on the host to potentially access the metadata store and the content store\n- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700\n  - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.\n- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700\n\nThe directory paths may differ depending on the daemon configuration.\nWhen the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.(CVE-2024-25621)\n\nA bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.(CVE-2025-64329)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP2","name":"containerd","purl":"pkg:rpm/openEuler/containerd&distro=openEuler-24.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.22-25.oe2403sp2"}]}],"ecosystem_specific":{"aarch64":["containerd-1.6.22-25.oe2403sp2.aarch64.rpm"],"src":["containerd-1.6.22-25.oe2403sp2.src.rpm"],"x86_64":["containerd-1.6.22-25.oe2403sp2.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2755"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25621"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64329"}],"database_specific":{"severity":"High"}}