Fluid Attacks Database

Description

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	containerd	=1.4.12~ds1-1~deb11u1 \|\| =1.4.13~ds1-1~deb11u1 \|\| =1.4.13~ds1-1~deb11u2 \|\| =1.4.13~ds1-1~deb11u3 \|\| =1.4.13~ds1-1~deb11u4 \|\| =1.4.5~ds1-2 \|\| =1.4.5~ds1-2+deb11u1 \|\| >=0 <1.4.13~ds1-1~deb11u5	1.4.13~ds1-1~deb11u5
go	github.com/containerd/containerd	>=1.7.0-beta.0 <1.7.27 \|\| >=0 <1.6.38	1.7.27, 1.6.38
debian 12	containerd	=1.6.20~ds1-1 \|\| =1.6.20~ds1-1+deb12u1 \|\| >=0 <1.6.20~ds1-1+deb12u2	1.6.20~ds1-1+deb12u2
debian 13	containerd	>=0 <1.7.24~ds1-6	1.7.24~ds1-6
debian 14	containerd	>=0 <1.7.24~ds1-6	1.7.24~ds1-6
go	github.com/containerd/containerd/v2	>=0 <2.0.4	2.0.4

Aliases

1. CVE-2024-406352. NVD-2024-406353. OSV-DEBIAN-2024-406354. OSV-2024-406355. GHSA-265r-hfxg-fhmg6. GCVE-2024-406357. SECURITY-TRACKER-CVE-2024-406358. lists.debian.org

References

1. https://github.com/yen5004/CVE-2024-40635_POC2. https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg3. https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da4. https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab205. https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a