CVE Tools
Sign in

CVE-2024-25621

containerd affected by a local privilege escalation via wide permissions on CRI directory

Published: Nov 6, 2025Updated: Dec 31, 2025 Sources: CVE List NVD GHSA BDUCWE-279
NVD MITRE
7.3CVSSHIGH
EPSS Score
0.1%
Top 96.2%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.

CVSS Vector Breakdown

AV:LAC:LPR:LUI:RS:UC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-279

Affected Products

containerdcontainerd
On-prem
Cloud & SaaS / container-orchestration
containerdlinuxfoundation
Mixed
AI / ML / ml-framework
github.com/containerd/containerdGoOSS Libraries
github.com/containerd/containerd/v2GoOSS Libraries
Astra Linux Special EditionООО «РусБИТех-Астра»
On-premOS
Operating Systems / linux-distro
containerdoss-projectCloud & SaaSaka containerd, imgcrypt
linuxfoundationoss-projectUSAI / MLaka yocto, pytorch, everest
gopackage-ecosystemOSS Libraries
ооо «русбитех-астра»commercialRUOperating Systemsaka rusbitech-astra
and 3 more affected products View all →

Exploitability

Official Patch Available

References

https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
github.com
https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
github.com
https://github.com/containerd/containerd/blob/main/docs/rootless.md
github.com
and 13 more references View all →

Timeline

Published
Nov 6, 2025
Last Updated
Dec 31, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-25621 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows