CVE-2025-47291

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-47291

Severity

7.5

High

CVSS V3

Description

containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.

References

https://images.chainguard.dev/security/CGA-694j-cpxq-9mph
https://github.com/advisories/GHSA-cxfp-7pvr-95ff
https://images.chainguard.dev/security/CGA-xhvv-9h5c-qvj8
https://images.chainguard.dev/security/CGA-5g26-7vmv-85m5
https://images.chainguard.dev/security/CGA-rffv-rr94-c8px
https://images.chainguard.dev/security/CGA-frwj-rc3x-3ggf
https://images.chainguard.dev/security/CGA-h3ff-cvm2-7m7v
https://images.chainguard.dev/security/CGA-q8mv-6q3j-j7vw
https://images.chainguard.dev/security/CGA-q6w8-82w2-mwrw
https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-47291

Severity

Description

References

Affected packages

Product

Solutions

Customers

Resources

Company