{"schema_version":"1.7.2","id":"OESA-2025-2836","modified":"2025-12-12T12:20:53Z","published":"2025-12-12T12:20:53Z","upstream":["CVE-2024-25621","CVE-2025-64329"],"summary":"containerd security update","details":"containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\n\ncontainerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.(CVE-2024-25621)\n\ncontainerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.(CVE-2025-64329)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"containerd","purl":"pkg:rpm/openEuler/containerd&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.0-222.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["containerd-1.2.0-222.oe2003sp4.aarch64.rpm"],"src":["containerd-1.2.0-222.oe2003sp4.src.rpm"],"x86_64":["containerd-1.2.0-222.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2836"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25621"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64329"}],"database_specific":{"severity":"High"}}