Containers that launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host
The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory
The packet_set_ring function in net/packet/af_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls.