This vulnerability impacts the widely deployed containerd container runtime, a core component of most Kubernetes clusters. Critical containerd runtime directories, including CRI socket directories and the main containerd state directory, are created with incorrect overly permissive default permissions. A local attacker could leverage this misconfiguration to access sensitive runtime data or tamper with container workloads.
Remediation
Upgrade containerd to one of the fixed versions: 1.7.29, 2.0.7, 2.1.5, or 2.2.0. If an immediate upgrade is not possible, manually correct permissions by running chmod to remove group and world access to the affected directories, or switch to running containerd in rootless mode.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.