-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/containerd/containerd | go | < 1.7.29 | 1.7.29 |
| github.com/containerd/containerd/v2 | go | < 2.0.7 | 2.0.7 |
| github.com/containerd/containerd/v2 | go | >= 2.1.0-beta.0, < 2.1.5 | 2.1.5 |
| github.com/containerd/containerd/v2 | go | >= 2.2.0-beta.0, < 2.2.0 | 2.2.0 |
Miggo AIRoot Cause AnalysisThe vulnerability is a memory exhaustion issue in containerd's CRI server caused by a goroutine leak in the Attach implementation. Repetitive calls to Attach (e.g., via kubectl attach) without proper stream closure would cause goroutines to accumulate, leading to increased memory consumption on the host.
The analysis of the provided patch commit 083b53cd6f19b5de7717b0ce92c11bdf95e612df pinpoints the vulnerable functions.
The primary vulnerable function is ContainerIO.Attach located in internal/cri/io/container_io.go. This function was modified to accept a context.Context. The core of the fix is the introduction of a select block that waits for either the stream to be closed or the context to be done. If the context is canceled (which happens on client disconnection), the associated resources are cleaned up, preventing the goroutine from leaking.
The function criService.attachContainer in internal/cri/server/container_attach.go is the entry point that handles the CRI Attach request. It was updated to pass the request's context down to the ContainerIO.Attach function. Therefore, criService.attachContainer is a key part of the execution flow that triggers the vulnerability and would be observed in a runtime profile during exploitation.