A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.
An overly broad default permission vulnerability was found in containerd. /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700 Allowed local users on the host to potentially access the metadata store and the content store /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700 Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents …
A bug was found in the containerd's CRI implementation where containerd doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node.
A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system.
A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.