CVE-2024-40635
Published: 17 March 2025
Summary
CVE-2024-40635 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Linuxfoundation Containerd. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying patches to vulnerable containerd versions (1.6.38, 1.7.27, 2.0.4) directly remediates the integer overflow in UID/GID handling that causes containers to run as root.
Validating UID/GID inputs to containerd prevents processing of oversized values that trigger the integer overflow and unintended root execution.
Enforcing least privilege restricts high-privilege access required to import and launch containers with oversized UID/GID, limiting exploitation opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The integer overflow in containerd's UID:GID handling directly causes containers to execute as root (UID 0) instead of the intended non-root user, enabling an attacker to exploit the flaw for privilege escalation in non-root enforcement environments.
NVD Description
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow…
more
condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Deeper analysisAI
CVE-2024-40635 is an integer overflow vulnerability (CWE-190) in containerd, an open-source container runtime. It affects versions prior to 1.6.38, 1.7.27, and 2.0.4. The flaw occurs when containers are launched with a User specified as a UID:GID larger than the maximum 32-bit signed integer, triggering an overflow that causes the container to run as root (UID 0) rather than the intended non-root user, leading to unexpected privilege escalation behavior in environments enforcing non-root execution.
Exploitation requires local access (AV:L), low complexity (AC:L), and high privileges (PR:H), with no user interaction needed (UI:N). A privileged local attacker can import and launch a container image with an oversized UID:GID value, causing the overflow and allowing the container to execute with root privileges. This achieves low confidentiality and integrity impacts (C:L/I:L/A:N) but in a changed scope (S:C), as scored at CVSS 4.6 (CVSS:3.1).
Patches addressing the issue are available in containerd commits 05044ec0a9a75232cad458027ca83437aae3f4da, 1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20, and cf158e884cfe4812a6c371b59e4ea9bc4c46e51a, fixing the vulnerability in versions 1.6.38, 1.7.27, and 2.0.4. The containerd security advisory GHSA-265r-hfxg-fhmg details the issue, recommending upgrades. As a workaround, use only trusted images and limit image import permissions to trusted users. A Debian LTS announcement provides additional distribution-specific guidance.
Details
- CWE(s)