High severityNVD Advisory· Published Nov 6, 2025· Updated Nov 6, 2025
containerd affected by a local privilege escalation via wide permissions on CRI directory
CVE-2024-25621
Description
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths /var/lib/containerd, /run/containerd/io.containerd.grpc.v1.cri and /run/containerd/io.containerd.sandbox.controller.v1.shim were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containerd/containerdGo | < 1.7.29 | 1.7.29 |
github.com/containerd/containerd/v2Go | < 2.0.7 | 2.0.7 |
github.com/containerd/containerd/v2Go | >= 2.1.0-beta.0, < 2.1.5 | 2.1.5 |
github.com/containerd/containerd/v2Go | >= 2.2.0-beta.0, < 2.2.0 | 2.2.0 |
Affected products
1- Range: < 1.7.29
Patches
17c59e8e9e970Merge commit from fork
4 files changed · +26 −3
cmd/containerd/server/server.go+12 −2 modified@@ -80,10 +80,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { return errors.New("root and state must be different paths") } - if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil { + if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil { + return err + } + // chmod is needed for upgrading from an older release that created the dir with 0o711 + if err := os.Chmod(config.Root, 0o700); err != nil { return err } + // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. + // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil { return err } @@ -98,7 +104,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { } if config.TempDir != "" { - if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil { + if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil { + return err + } + // chmod is needed for upgrading from an older release that created the dir with 0o711 + if err := os.Chmod(config.Root, 0o700); err != nil { return err } if runtime.GOOS == "windows" {
core/runtime/v2/task_manager.go+2 −0 modified@@ -92,6 +92,8 @@ func init() { } root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir] for _, d := range []string{root, state} { + // root: the parent of this directory is created as 0o700, not 0o711. + // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers. if err := os.MkdirAll(d, 0711); err != nil { return nil, err }
plugins/cri/runtime/plugin.go+7 −0 modified@@ -79,6 +79,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) { rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri") containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir]) stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri") + if err := os.MkdirAll(stateDir, 0o700); err != nil { + return nil, err + } + // chmod is needed for upgrading from an older release that created the dir with 0o755 + if err := os.Chmod(stateDir, 0o700); err != nil { + return nil, err + } c := criconfig.Config{ RuntimeConfig: *pluginConfig, ContainerdRootDir: containerdRootDir,
plugins/sandbox/controller.go+5 −1 modified@@ -68,7 +68,11 @@ func init() { state := ic.Properties[plugins.PropertyStateDir] root := ic.Properties[plugins.PropertyRootDir] for _, d := range []string{root, state} { - if err := os.MkdirAll(d, 0711); err != nil { + if err := os.MkdirAll(d, 0700); err != nil { + return nil, err + } + // chmod is needed for upgrading from an older release that created the dir with 0o711 + if err := os.Chmod(d, 0o700); err != nil { return nil, err } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pwhc-rpq9-4c8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25621ghsaADVISORY
- github.com/containerd/containerd/blob/main/docs/rootless.mdghsax_refsource_MISCWEB
- github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5ghsax_refsource_MISCWEB
- github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.