products / containerd
containerd
containerd is the CNCF container runtime used as the default in Kubernetes and under Docker Engine. NVD uses linuxfoundation:containerd. A live NVD CPE search (2026-04-25) returned no active docker:containerd dictionary entries, so Attestd queries a single namespace.
api usage
Querying containerd
product slug
containerdversion format
1.6.15, 1.7.20bash
curl "https://api.attestd.io/v1/check?product=containerd&version=1.5.0" \
-H "Authorization: Bearer $ATTESTD_KEY"1.6.15 is affected by CVE-2023-25173 (supplemental groups not cleared on container exec, leading to privilege escalation).
json
{
"product": "containerd",
"version": "1.5.0",
"supported": true,
"risk_state": "high",
"risk_factors": ["no_authentication_required", "patch_available"],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "1.5.4",
"confidence": 0.88,
"cve_ids": ["CVE-2021-32760", "CVE-2021-41103", "CVE-2022-23648", "CVE-2023-25173"],
"last_updated": "2026-04-25T00:00:00Z"
}safe version
1.7.20 is used as a patched-line example; verify with live API after NVD cycles.
bash
curl "https://api.attestd.io/v1/check?product=containerd&version=1.7.29" \
-H "Authorization: Bearer $ATTESTD_KEY"notable cves
CVE history
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-25173 | Supplemental groups not dropped on exec — privilege escalation. | 1.6.x before 1.6.18 | 7.8 |
CVE-2022-23648 | Host filesystem leak via volume mount race (TOCTOU). | Multiple | 7.5 |
CVE-2021-41103 | Incorrect file permissions on container root. | 1.4.x | 7.8 |
CVE-2020-15257 | Abstract Unix socket exposure allowing host access. | 1.3.x | 5.2 |
CVE-2024-24786 | Protobuf-Go infinite loop via malformed JSON in containerd message parsing. | 1.7.x | 7.5 |
related