Vulnerability Description
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Containerd | < 1.6.38 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437Patch
- https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3efPatch
- https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bcPatch
- https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmgVendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00005.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2024-40635?
CVE-2024-40635 is a vulnerability with a CVSS score of 4.6 (MEDIUM). containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maxim...
How severe is CVE-2024-40635?
CVE-2024-40635 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-40635?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Containerd, Debian Debian Linux.