Moderate severityNVD Advisory· Published Nov 7, 2025· Updated Nov 7, 2025
containerd CRI server: Host memory exhaustion through Attach goroutine leak
CVE-2025-64329
Description
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containerd/containerdGo | < 1.7.29 | 1.7.29 |
github.com/containerd/containerd/v2Go | < 2.0.7 | 2.0.7 |
github.com/containerd/containerd/v2Go | >= 2.1.0-beta.0, < 2.1.5 | 2.1.5 |
github.com/containerd/containerd/v2Go | >= 2.2.0-beta.0, < 2.2.0 | 2.2.0 |
Affected products
1- Range: < 1.7.29
Patches
1083b53cd6f19Merge commit from fork
2 files changed · +12 −4
internal/cri/io/container_io.go+11 −3 modified@@ -17,6 +17,7 @@ package io import ( + "context" "errors" "fmt" "io" @@ -160,7 +161,7 @@ func (c *ContainerIO) Pipe() { // Attach attaches container stdio. // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? -func (c *ContainerIO) Attach(opts AttachOptions) { +func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { var wg sync.WaitGroup key := util.GenerateID() stdinKey := streamKey(c.id, "attach-"+key, Stdin) @@ -201,8 +202,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { } attachStream := func(key string, close <-chan struct{}) { - <-close - log.L.Infof("Attach stream %q closed", key) + select { + case <-close: + log.L.Infof("Attach stream %q closed", key) + case <-ctx.Done(): + log.L.Infof("Attach client of %q cancelled", key) + // Avoid writeGroup heap up + c.stdoutGroup.Remove(key) + c.stderrGroup.Remove(key) + } // Make sure stdin gets closed. if stdinStreamRC != nil { stdinStreamRC.Close()
internal/cri/server/container_attach.go+1 −1 modified@@ -82,6 +82,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re }, } // TODO(random-liu): Figure out whether we need to support historical output. - cntr.IO.Attach(opts) + cntr.IO.Attach(ctx, opts) return nil }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m6hq-p25p-ffr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64329ghsaADVISORY
- github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612dfghsax_refsource_MISCWEB
- github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.