CVE-2022-31030

Name: CVE-2022-31030
Creator: NVD / NIST
Published: 2022-06-09T14:15:08.55+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 0.38%

Last modified Jun 17, 2026

CVE-2022-31030 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. EPSS estimates a 0.38% chance of exploitation in the next 30 days.

Description

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.38%

29.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Linuxfoundation	Containerd	< 1.5.13
Linuxfoundation	Containerd	>= 1.6.0, < 1.6.6
Debian	Debian Linux	11.0
Fedoraproject	Fedora	35
Fedoraproject	Fedora	36

References

http://www.openwall.com/lists/oss-security/2022/06/07/1Mailing List, Third Party Advisory
https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382Product, Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpfThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/
https://security.gentoo.org/glsa/202401-31
https://www.debian.org/security/2022/dsa-5162Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/06/07/1Mailing List, Third Party Advisory
https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382Product, Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpfThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/
https://security.gentoo.org/glsa/202401-31
https://www.debian.org/security/2022/dsa-5162Third Party Advisory

Timeline

Published: Jun 9, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-31030?

How severe is CVE-2022-31030?

CVE-2022-31030 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.38% probability of exploitation in the next 30 days.

How do I fix CVE-2022-31030?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-31030?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST