CVE-2025-47291: containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods.

May 21, 2025 (updated October 31, 2025)

A bug was found in the containerd’s CRI implementation where containerd doesn’t put usernamespaced containers under the Kubernetes’ cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node.

References

github.com/advisories/GHSA-cxfp-7pvr-95ff
github.com/containerd/containerd
github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff
nvd.nist.gov/vuln/detail/CVE-2025-47291
pkg.go.dev/vuln/GO-2025-3701

Code Behaviors & Features

Detect and mitigate CVE-2025-47291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →