CVE-2025-64329: 
Docker vulnerability analysis and mitigation

CVE-2025-64329 affects containerd, an open-source container runtime. The vulnerability was discovered and disclosed on November 6, 2025, impacting versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1. The issue involves a bug in the CRI Attach implementation that can lead to memory exhaustion on the host system (GitHub Advisory, NVD).

The vulnerability stems from a goroutine leak in the ContainerIO.Attach implementation within the CRI server. The issue occurs due to improper handling of client disconnects, causing goroutines to accumulate and consume memory. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (Miggo, NVD).

When exploited, this vulnerability allows an attacker to exhaust memory on the host system through repetitive calls to CRI Attach (e.g., via kubectl attach). The continuous accumulation of unreleased goroutines leads to increased memory consumption by the containerd process, potentially affecting system stability and availability (GitHub Advisory).

The vulnerability has been patched in containerd versions 1.7.29, 2.0.7, 2.1.5, and 2.2.0. Users are advised to upgrade to these patched versions. As a temporary workaround, users can set up an admission controller to control access to pods/attach resources, such as implementing a Validating Admission Policy (GitHub Advisory).