OESA-2025-2756

containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.

Security Fix(es):

An overly broad default permission vulnerability was found in containerd.

• /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
• /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
• /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration. When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.(CVE-2024-25621)

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.(CVE-2025-64329)