CVE-2025-47291: 
Trivy vulnerability analysis and mitigation

A vulnerability (CVE-2025-47291) was discovered in containerd, an open-source container runtime. The issue affects containerd versions from 2.0.1 to 2.0.4, where the containerd's CRI implementation incorrectly handles cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. The vulnerability was disclosed on May 21, 2025 (Wiz, GitHub Advisory).

The vulnerability stems from a bug in the containerd's CRI implementation where containers running in usernamespaced pods are not properly placed under the Kubernetes' cgroup hierarchy. This incorrect placement results in Kubernetes resource limits not being properly enforced. The vulnerability has been assigned a CVSS v4.0 score of 4.6 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U and is classified under CWE-266 (Incorrect Privilege Assignment) (NVD).

The primary impact of this vulnerability is the potential for denial of service of the Kubernetes node due to the improper enforcement of resource limits. Since containers in usernamespaced pods bypass the intended cgroup hierarchy, they may consume resources beyond their allocated limits (GitHub Advisory).

The vulnerability has been patched in containerd versions 2.0.5+ and 2.1.0+. Users are strongly advised to upgrade to these patched versions. As a temporary workaround, administrators can disable usernamespaced pods in Kubernetes until the upgrade can be completed (GitHub Advisory).

The containerd project acknowledged the responsible disclosure by Rodrigo Campos Catelin and Piotr Rogowski, who reported the vulnerability in accordance with the containerd security policy (GitHub Advisory).