---
Containerd is an industry-standard, widely adopted open-source container runtime. It enables developers to build lightweight, reliable, and secure container environments that are compatible with various platforms.
A critical bug, discovered in containerd prior to versions 1.6.38, 1.7.27, and 2..4, was found to impact the security of multiple container environments. The bug, identified as CVE-2024-40635, when exploited, can cause containers launched with a User set as a UID:GID (User Identification: Group Identification) larger than the maximum 32-bit signed integer to result in an overflow condition. Consequently, the container starts running as root (UID ), thereby breaching the security protocols of environments that require containers to run as non-root users.
Code Snippet
---
The following code snippet showcases how the bug occurs in a container with the command using a maliciously crafted UID:GID value:
$ docker run --rm -it -u 9999999999:9999999999 example_image
Original References
---
This bug has been reported and documented in various official sources
- Containerd GitHub Repository: https://github.com/containerd/containerd
- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-40635
Exploit Details
---
This critical issue arises when creating a container with UID:GID values larger than the maximum permissible 32-bit signed integer (2147483647). The overflow condition caused by this attack creates a potential security risk, allowing containers to run as a root user unexpectedly.
The breach can provide an attacker with increased privileges and access, enabling them to manipulate sensitive data or perform malicious activities within the container environment.
Solution
---
To address this issue, the containerd team has released fixed versions of containerd (1.6.38, 1.7.27, and 2..4) to mitigate the overflow bug. Containerd users are strongly advised to update their container runtime to one of the patched versions.
As a temporary workaround, users should ensure that only trusted images are used in the container environments. Additionally, only trusted users should have permissions to import images.
Moreover, make sure to assess and validate image sources, as well as UID:GID configurations, to maintain the security and integrity of container environments.
Conclusion
---
Security vulnerabilities, such as CVE-2024-40635, underscore the importance of keeping container environments up-to-date and regularly reviewing security configurations. It is crucial for developers and administrators to promptly deploy patches and security updates to avoid exploitation and to maintain the security and reliability of their container environments.
Timeline
Published on: 03/17/2025 22:15:13 UTC