x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2024-40635

[GoVulnBot]

Advisory CVE-2024-40635 references a vulnerability in the following Go modules:

Module
github.com/containerd/containerd

Description:
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-40635
• FIX: containerd/containerd@05044ec
• FIX: containerd/containerd@1a43cb6
• FIX: containerd/containerd@cf158e8
• WEB: GHSA-265r-hfxg-fhmg

Cross references:

• github.com/containerd/containerd appears in 14 other report(s):
  • data/excluded/GO-2023-2321.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-21334 #2321) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2022-0278.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-43816 #278)
  • data/reports/GO-2022-0344.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23648 #344)
  • data/reports/GO-2022-0360.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-5j5w-g665-5m35 #360)
  • data/reports/GO-2022-0482.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-31030 #482)
  • data/reports/GO-2022-0784.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd/cmd: GHSA-36xw-fx78-c5r4 #784)
  • data/reports/GO-2022-0803.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #803)
  • data/reports/GO-2022-0921.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-32760, GHSA-c72p-9xmj-rx3w #921)
  • data/reports/GO-2022-0938.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-41103, GHSA-c2h3-6mxw-7mvq #938)
  • data/reports/GO-2022-1147.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23471 #1147)
  • data/reports/GO-2023-1573.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2 #1573)
  • data/reports/GO-2023-1574.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-hmfx-3pcx-653p #1574)
  • data/reports/GO-2023-2412.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-7ww5-4wqc-m92c #2412)
  • data/reports/GO-2024-2846.yaml (x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-c9cp-9c75-9v8c #2846)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/containerd/containerd
      vulnerable_at: 1.7.27
summary: CVE-2024-40635 in github.com/containerd/containerd
cves:
    - CVE-2024-40635
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40635
    - fix: https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
    - fix: https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
    - fix: https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
    - web: https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
source:
    id: CVE-2024-40635
    created: 2025-03-17T23:01:10.648117188Z
review_status: UNREVIEWED

[thatnealpatel]

Duplicate of #3528