CVE-2025-47291

NameCVE-2025-47291
Descriptioncontainerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
containerd (PTS)bullseye1.4.13~ds1-1~deb11u4fixed
bullseye (security)1.4.13~ds1-1~deb11u5fixed
bookworm1.6.20~ds1-1+deb12u1fixed
sid, trixie1.7.24~ds1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
containerdsource(unstable)(not affected)

Notes

- containerd <not-affected> (Vulnerable code not present)
https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff

Search for package or bug name: Reporting problems