Rata

**Name of the Vulnerable Software and Affected Versions** containerd versions 2.0.1 through 2.0.4 **Description** A bug was found in containerd's CRI implementation where it doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, causing some Kubernetes limits to not be honored. This may lead to a denial of service of the Kubernetes node. **Recommendations** For containerd versions 2.0.1 through 2.0.4, update to version 2.0.5 or later, or 2.1.0 or later, to resolve the issue. As a temporary workaround, consider disabling usernamespaced pods in Kubernetes until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** runc versions 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier **Description** The issue is related to a race condition that allows an attacker to create empty files or directories in arbitrary locations on the host filesystem. This can be achieved by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. The attacker must have the ability to start containers using a custom volume configuration. Containers using user namespaces are still affected, but the scope of the attack can be significantly reduced. Sufficiently strict LSM policies, such as SELinux or AppArmor, can also block this attack. The issue is exploitable using runc directly, as well as through Docker and Kubernetes. **Recommendations** For runc versions 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, update to version 1.1.14 or 1.2.0-rc3 to fix the issue. As a temporary workaround, consider using user namespaces to restrict the attack scope. Restrict access to world-writable directories to minimize the risk of exploitation. Apply a strict SELinux or AppArmor policy to the runc runtime to further restrict the attack scope.