CVE List

Containerd

CVE
Title
Affected versions
References
​CVE-2022-23648​
Containers that launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host
<= 1.4.12
1.5.0 - 1.5.9
1.6.0
​CVE-2021-41103​
Insufficiently restricted permissions on container root and plugin directories
<1.4.11
<1.5.7
​CVE-2021-32760​
Archive package allows chmod of file outside of unpack target directory
<=1.4.7
<=1.5.3
​CVE-2021-21334​
containerd CRI plugin: environment variables can leak between containers
<=1.3.9
<= 1.4.3
​CVE-2020-15257​
containerd-shim API Exposed to Host Network Containers
<=1.3.7
1.4.0
1.4.1
​CVE-2020-15157​
containerd v1.2.x can be coerced into leaking credentials during image pull
< 1.3.0

CRI-O

CVE
Title
Affected versions
References
​CVE-2022-0811​
Rights to deploy a pod on a Kubernetes cluster leads to abusing the kernel.core_pattern parameter
>1.19.0

Linux kernel

CVE
Title
Required capabilities
References
​CVE-2022-25636​
An out-of-bounds memory access leads to privilege escalation
CAP_NET_ADMIN
​CVE-2022-0492​
Missing verification allows setting the release_agent file for the process without administrative privileges
CAP_SYS_ADMIN
Disabled AppArmor/SELinux
Disabled Seccomp
​CVE-2022-0185​
A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel
​CVE-2021-22555​
A heap out-of-bounds write in Linux Netfilter
CAP_NET_ADMIN
​CVE-2021-31440​
The flaw in handling of eBPF programs leads to escalate privileges
CAP_SYS_MODULE
​CVE-2020-8835​
The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory
CAP_SYS_ADMIN
​CVE-2017-7308​
The packet_set_ring function in net/packet/af_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls.
CAP_NET_RAW

RunC

CVE
Title
Affected versions
References
​CVE-2021-30465​
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
<=1.0.0-rc94
​CVE-2019-19921​
procfs race condition with a shared volume mount
<1.0.0-rc10

References