CVE-2024-40635
Publication date 17 March 2025
Last updated 30 May 2025
Ubuntu priority
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 25.04 plucky |
Vulnerable
|
| 24.10 oracular |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 1.6.24~ds1-1ubuntu1.2+esm1
|
|
| 22.04 LTS jammy |
Fixed 1.6.12-0ubuntu1~22.04.8
|
|
| 20.04 LTS focal |
Fixed 1.6.12-0ubuntu1~20.04.8
|
|
| 18.04 LTS bionic |
Fixed 1.6.12-0ubuntu1~18.04.1+esm2
|
|
| 16.04 LTS xenial |
Fixed 1.2.6-0ubuntu1~16.04.6+esm5
|
|
| containerd-app | 25.04 plucky |
Fixed 2.0.2-0ubuntu2
|
| 24.10 oracular |
Fixed 2.0.0~rc3-0ubuntu1.1
|
|
| 24.04 LTS noble |
Fixed 1.7.24-0ubuntu1~24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.7.24-0ubuntu1~22.04.2
|
|
| 20.04 LTS focal |
Fixed 1.7.24-0ubuntu1~20.04.2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.6 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7374-1
- containerd vulnerability
- 26 March 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-40635
- https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
- https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82 (v1.7.27)
- https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f (v1.6.38)
- https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
- https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
- https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a