CVE-2022-23471: containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the...

Description

containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.02%

59.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Linuxfoundation	Containerd	< 1.5.16
Linuxfoundation	Containerd	>= 1.6.0, < 1.6.12

References

https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0Patch, Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9Third Party Advisory
https://security.gentoo.org/glsa/202401-31
https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0Patch, Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9Third Party Advisory
https://security.gentoo.org/glsa/202401-31

Timeline

Published: Dec 7, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-23471?

containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.

How severe is CVE-2022-23471?

CVE-2022-23471 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.02% probability of exploitation in the next 30 days.

How do I fix CVE-2022-23471?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.