The containerd community has disclosed the CVE-2024-40635 security vulnerability. When a container starts, if the configured UID or GID exceeds the maximum 32-bit signed integer limit, an overflow occurs, which causes the container to unexpectedly run with root privileges (UID 0). Attackers can exploit this vulnerability to escalate privileges in environments where containers are configured to run as non-root users.
This vulnerability is rated medium severity, with a Common Vulnerability Scoring System (CVSS) score of 4.6. For details, see containerd community announcement.
Affected scope
The following containerd runtime versions are vulnerable:
< 1.6.38
< 1.7.27
< 2.0.4
The issue has been patched in the following versions:
Solution
Update containerd runtime to a version where the vulnerability is fixed. For cluster runtime updates, see Update a node pool.
Mitigation measures
Deploy the ACKPSPAllowedUsers policy to restrict the startup UIDs and GIDs in pods deployed within the specified range in your cluster.
Use Notation and Ratify for signing and verifying OCI artifacts, ensuring only trusted images are deployed in your cluster.