Amazon Linux 2 Security Advisory: ALAS2DOCKER-2025-086
Advisory Released Date: 2025-12-08
Advisory Updated Date: 2025-12-08
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode. (CVE-2024-25621)
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources. (CVE-2025-64329)
Affected Packages:
containerd
Note:
This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update containerd or yum update --advisory ALAS2DOCKER-2025-086 to update your system.
aarch64:
containerd-2.1.5-1.amzn2.0.1.aarch64
containerd-stress-2.1.5-1.amzn2.0.1.aarch64
containerd-debuginfo-2.1.5-1.amzn2.0.1.aarch64
src:
containerd-2.1.5-1.amzn2.0.1.src
x86_64:
containerd-2.1.5-1.amzn2.0.1.x86_64
containerd-stress-2.1.5-1.amzn2.0.1.x86_64
containerd-debuginfo-2.1.5-1.amzn2.0.1.x86_64