CVE-2024-40635
Public on 2025-03-17
Modified on 2025-05-12
Description
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | containerd | No Fix Planned | ||
| Amazon Linux 2 - Docker Extra | containerd | 2025-03-26 | ALAS2DOCKER-2025-054 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2025-04-23 | ALAS2ECS-2025-056 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2025-03-26 | ALAS2NITRO-ENCLAVES-2025-051 | Fixed |
| Amazon Linux 2023 | containerd | 2025-03-26 | ALAS2023-2025-920 | Fixed |
| Amazon Linux 1 | docker | No Fix Planned | ||
| Amazon Linux 2 - Ecs Extra | docker | Pending Fix | ||
| Amazon Linux 2 - Docker Extra | docker | 2025-05-21 | ALAS2DOCKER-2025-066 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | docker | 2025-05-21 | ALAS2NITRO-ENCLAVES-2025-062 | Fixed |
| Amazon Linux 2023 | docker | 2025-05-21 | ALAS2023-2025-987 | Fixed |
| Amazon Linux 1 | ecs-init | No Fix Planned | ||
| Amazon Linux 2 - Ecs Extra | ecs-init | Pending Fix | ||
| Amazon Linux 2023 | ecs-init | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.6 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 4.6 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |