Primary

Context

containerd TOCTOU Vulnerability Allows Arbitrary Host File System Modification

Vulnerability

A time-of-check to time-of-use (TOCTOU) vulnerability exists in containerd version 2.1.0. During the image unpacking process of an image pull, specially crafted container images have the potential to arbitrarily alter the host file system. This vulnerability is not present in other versions of containerd. The issue has been addressed in containerd version 2.1.1.

Impact

Exploitation of this vulnerability allows for arbitrary modifications to the host file system.

Remediation

Users are advised to update to containerd version 2.1.1. As an additional precaution, only trusted images should be used and only trusted users should be granted permissions to import images.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

containerd TOCTOU Vulnerability Allows Arbitrary Host File System Modification

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating