We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.
kubectl attach
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Set up an admission controller to control accesses to pods/attach resources. e.g., Validating Admission Policy.
pods/attach
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g.,
kubectl attach) could increase the memory usage of containerd.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Set up an admission controller to control accesses to
pods/attachresources.e.g., Validating Admission Policy.
Credits
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd: