CVE-2022-31030

MEDIUM5.5EPSS 0.16%

containerd CRI plugin: Host memory exhaustion through ExecSync

Published: 6/6/2022Modified: 2/4/2026
Also known as:GHSA-5ffw-gxpp-mxpfCGA-gc9j-rh9q-mvc9DEBIAN-CVE-2022-31030GO-2022-0482

Description

### Impact A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. ### Patches This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used. ### References * Similar fix in cri-o's CRI implementation https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j ### Credits The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [[email protected]](mailto:[email protected])

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (12)