| CARVIEW |
Select Language
HTTP/2 200
date: Fri, 25 Jul 2025 18:53:52 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"487c874c98f346d08bb1b973966acf6b"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=MEdl9WqyoWodGgRfqmSDDFG54NpPE%2BsBY5R8QXmlW9KjdTYe9RnfrGcg%2FbjUwRHT%2FEhcMgaaWx4vJolgfeBdjg%2FK%2F7Z%2B84qQ41tVJlEmFQpXGuQRUDGJ%2BSXoLtDW9nrYvKRKm%2FQja3G2C2uSRcGvEDavQyU9ZURskks6ix3qXpMrNfBvsa1Nj2%2FdpWqHuiNlVO72Nc1UE%2BvErCXoT%2BLAfujLPiTKxCjHxwSQFzKv%2F2guXfc5i%2BdK8W3FDh%2B%2FOTg%2BPx8qfgdjGLSV1gmPMjv%2BBA%3D%3D--f7BlQ3pwrMiRL70P--a06bgQdPBRe%2FlxBTUChdXA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1618587442.1753469632; Path=/; Domain=github.com; Expires=Sat, 25 Jul 2026 18:53:52 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 25 Jul 2026 18:53:52 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: CD3E:13875:1AEBB:227CD:6883D2C0
containerd CRI plugin: Host memory exhaustion through ExecSync · Advisory · containerd/containerd · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
containerd CRI plugin: Host memory exhaustion through ExecSync
Moderate
Package
No package listed
Affected versions
<= 1.5.12, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5
Patched versions
1.5.13, 1.6.6
Description
Severity
Moderate
CVE ID
CVE-2022-31030
Weaknesses
No CWEs
Credits
-
DavidKorczynski Analyst
-
AdamKorcz Analyst
You can’t perform that action at this time.
Impact
A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the
ExecSyncAPI. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation;ExecSyncmay be used when running probes or when executing processes via an "exec" facility.Patches
This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images and commands are used.
References
Credits
The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security audit sponsored by CNCF and facilitated by OSTIF.
For more information
If you have any questions or comments about this advisory: