Memory Exhaustion Vulnerability in containerd Runtime by Docker
CVE-2025-64329

6.9MEDIUM

Key Information:

Vendor: Containerd
Status: Containerd
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64329?

The containerd runtime by Docker has a vulnerability that allows a user to exhaust memory on the host due to goroutine leaks in the CRI Attach implementation. Specifically, versions prior to 1.7.29 for stable releases and up to 2.2.0-rc.1 for beta releases exhibit this flaw. To mitigate the risk, implementing an admission controller to regulate access to pod/attach resources is advisable. Ensure you update to the latest versions to secure your container environments.

Affected Version(s)

containerd < 1.7.29 < 1.7.29

containerd < 2.0.7 < 2.0.7

containerd >= 2.1.0-beta.0, < 2.1.5 < 2.1.0-beta.0, 2.1.5

References

https://github.com/containerd/containerd/security/advisor...

x_refsource_CONFIRM

https://github.com/containerd/containerd/commit/083b53cd6...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Oct 30, 2025

JSON

Containerd

What is CVE-2025-64329?

Affected Version(s)

References

CVSS V4

Timeline