CVE-2024-40635
📋 TL;DR
A vulnerability in containerd allows containers launched with UID/GID values exceeding 32-bit signed integer limits to overflow and run as root (UID 0) instead of the intended non-root user. This affects environments using containerd versions before 1.6.38, 1.7.27, or 2.0.4 where containers are configured to run as non-root users. The issue could lead to privilege escalation within container environments.
💻 Affected Systems
- containerd
📦 What is this software?
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Container processes gain root privileges unexpectedly, potentially allowing container escape, host system compromise, or lateral movement within Kubernetes clusters.
Likely Case
Containers run with elevated privileges contrary to security policies, violating least-privilege principles and potentially exposing sensitive data or services.
If Mitigated
Containers run with intended user permissions, maintaining proper isolation and security boundaries as configured.
🎯 Exploit Status
Requires ability to create or modify container configurations with specific UID/GID values
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.38, 1.7.27, or 2.0.4
Vendor Advisory: https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
Restart Required: Yes
Instructions:
1. Stop all containers using containerd. 2. Update containerd to version 1.6.38, 1.7.27, or 2.0.4 using your package manager. 3. Restart containerd service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict container image sources
linuxOnly allow trusted container images from verified registries
# Configure containerd to only pull from trusted registries
# Edit /etc/containerd/config.toml to restrict registries
Enforce UID/GID validation
linuxImplement admission controllers or policies to validate container UID/GID values
# Use Kubernetes PodSecurityPolicy or OPA/Gatekeeper to validate UID ranges
# Example: Ensure runAsUser < 2147483647
🧯 If You Can't Patch
- Implement strict image scanning and validation to prevent containers with UID/GID > 2147483647
- Use runtime security tools (Falco, Tracee) to detect containers running as root unexpectedly
🔍 How to Verify
Check if Vulnerable:
Check containerd version: containerd --version. If version is earlier than 1.6.38, 1.7.27, or 2.0.4, system is vulnerable.Check Version:
containerd --versionVerify Fix Applied:
After update, run: containerd --version and confirm version is 1.6.38, 1.7.27, or 2.0.4 or later.📡 Detection & Monitoring
Log Indicators:
- Containers starting with UID 0 when configured with non-root user
- Audit logs showing container user ID changes
Network Indicators:
- Unexpected network connections from containers running as root
SIEM Query:
container.runtime=containerd AND container.user.uid=0 AND container.config.user EXISTS🔗 References
- https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
- https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
- https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
- https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
- https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html
