CVE-2022-23471: containerd CRI stream server vulnerable to host memory exhaustion via terminal
5.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42264%
CWE
Published
12/7/2022
Updated
1/31/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/containerd/containerd | go | < 1.5.16 | 1.5.16 |
github.com/containerd/containerd | go | >= 1.6.0, < 1.6.12 | 1.6.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key functions: 1) handleResizeEvents
lacked context-aware termination, leaving orphaned goroutines when container processes failed to start. 2) createStreams
started these goroutines without proper context propagation. The patch adds context handling in both locations - passing req.Context()
to handleResizeEvents
in createStreams
, and implementing context cancellation checks in handleResizeEvents'
select statement. The commit diff and CVE description directly correlate to these code paths managing terminal resize event handling and goroutine lifecycle.