CVE-2025-64329 – This CVE describes a memory exhaustion vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-64329?

CVE-2025-64329 has a CVSS score of 5.5 (MEDIUM). This CVE describes a memory exhaustion vulnerability in containerd's CRI Attach implementation where goroutine leaks allow users to consume host memory. Affected users are those running vulnerable versions of containerd in containerized environments, potentially leading to denial of service. The vulnerability requires access to pod attach resources.

📋 TL;DR

This CVE describes a memory exhaustion vulnerability in containerd's CRI Attach implementation where goroutine leaks allow users to consume host memory. Affected users are those running vulnerable versions of containerd in containerized environments, potentially leading to denial of service. The vulnerability requires access to pod attach resources.

💻 Affected Systems

Products:

containerd

Versions: 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, 2.2.0-beta.0 through 2.2.0-rc.1

Operating Systems: Linux, Any OS running containerd

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using CRI Attach functionality; default containerd installations with CRI enabled are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host memory exhaustion leading to system crash, container unavailability, and potential data loss from improper shutdown.

🟠

Likely Case

Degraded performance due to memory pressure, container failures, and potential denial of service for affected workloads.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring; memory exhaustion limited to authorized users only.

🌐 Internet-Facing: LOW - Requires authenticated access to Kubernetes API or containerd socket, not directly internet-exposed by default.

🏢 Internal Only: MEDIUM - Internal users with pod attach permissions can exploit this, potentially affecting shared infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only API access to trigger attach operations repeatedly.

Exploitation requires permissions to access pods/attach resources; no authentication bypass needed beyond existing privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.29, 2.0.7, 2.1.5, 2.2.0

Vendor Advisory: https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Restart Required: Yes

Instructions:

1. Identify containerd version using 'containerd --version'. 2. Upgrade to patched version via package manager (apt/yum) or direct binary replacement. 3. Restart containerd service: 'systemctl restart containerd'. 4. Verify upgrade with version check.

🔧 Temporary Workarounds

Admission Controller Restriction

linux

Implement Kubernetes admission controller to restrict access to pods/attach resources, limiting exploit surface.

kubectl apply -f admission-controller.yaml

🧯 If You Can't Patch

Implement strict RBAC policies to limit pod attach permissions to essential users only.
Monitor memory usage and set alerts for abnormal goroutine counts or memory consumption patterns.

🔍 How to Verify

Check if Vulnerable:

Run 'containerd --version' and compare against affected version ranges; check if CRI is enabled in containerd config.

Check Version:

containerd --version

Verify Fix Applied:

Confirm version is 1.7.29+, 2.0.7+, 2.1.5+, or 2.2.0+; monitor for goroutine leaks during attach operations.

📡 Detection & Monitoring

Log Indicators:

Unusual number of goroutines in containerd logs
Memory exhaustion warnings
Failed attach operations with resource errors

Network Indicators:

High frequency of attach API calls from single source
Abnormal Kubernetes API request patterns

SIEM Query:

source="containerd" AND ("goroutine" OR "memory" OR "attach") AND ("error" OR "warning" OR "exhaust")

📊 Metadata

CVE ID: CVE-2025-64329

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: November 7, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df Patch
https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64329, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

Containerd by Linuxfoundation

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Admission Controller Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities