CVE-2025-47291

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions containerd versions 2.0.1 through 2.0.4

Description A bug was found in containerd's CRI implementation where it doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, causing some Kubernetes limits to not be honored. This may lead to a denial of service of the Kubernetes node.

Recommendations For containerd versions 2.0.1 through 2.0.4, update to version 2.0.5 or later, or 2.1.0 or later, to resolve the issue. As a temporary workaround, consider disabling usernamespaced pods in Kubernetes until the issue is resolved.

Exploit

Fix

DoS

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266

Related Identifiers

AZL-62003

CVE-2025-47291

GHSA-CXFP-7PVR-95FF

GO-2025-3701

OPENSUSE-SU-2025:15159-1

OPENSUSE-SU-2025:15454-1

OPENSUSE-SU-2025:20117-1

OPENSUSE-SU-2026:20798-1

Affected Products

Kubernetes Containerd

CVE-2025-47291

Weakness Enumeration

Related Identifiers

Affected Products

References · 62