CVE-2025-47291
Publication date 22 May 2025
Last updated 22 May 2025
Ubuntu priority
containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| containerd-app | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
Notes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.