CVE-2022-23471

MEDIUM5.7EPSS 0.26%

containerd CRI stream server vulnerable to host memory exhaustion via terminal

Published: 12/7/2022Modified: 2/4/2026
Also known as:GHSA-2qjp-425j-52j9CGA-342f-5g83-vf7fGO-2022-1147

Description

### Impact A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. ### Patches This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [[email protected]](mailto:[email protected]) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [[email protected]](mailto:[email protected])

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References (9)