{"api_version":"1","generated_at":"2026-04-23T05:15:40+00:00","cve":"CVE-2022-31030","urls":{"html":"https://cve.report/CVE-2022-31030","api":"https://cve.report/api/cve/CVE-2022-31030.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-31030","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-31030"},"summary":{"title":"CVE-2022-31030","description":"containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-06-09 14:15:00","updated_at":"2024-01-31 13:15:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/","name":"FEDORA-2022-725ac93b48","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: golang-github-containerd-cni-1.1.6-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5162","name":"DSA-5162","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5162-1 containerd","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382","name":"https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-5ffw-gxpp-mxpf · containerd/containerd@c1bcabb · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf","name":"https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf","refsource":"CONFIRM","tags":[],"title":"containerd CRI plugin: Host memory exhaustion through ExecSync · Advisory · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202401-31","name":"GLSA-202401-31","refsource":"","tags":[],"title":"containerd: Multiple Vulnerabilities (GLSA 202401-31) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/06/07/1","name":"[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/","name":"FEDORA-2022-1da581ac6d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-x-sys-0-23.20220604gitbc2c85a.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/","name":"FEDORA-2022-725ac93b48","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: golang-github-containerd-cni-1.1.6-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/","name":"FEDORA-2022-1da581ac6d","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-x-sys-0-23.20220604gitbc2c85a.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-31030","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31030","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"31030","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31030","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31030","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31030","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-31030","qid":"179373","title":"Debian Security Update for containerd (DSA 5162-1)"},{"cve":"CVE-2022-31030","qid":"182800","title":"Debian Security Update for containerd (CVE-2022-31030)"},{"cve":"CVE-2022-31030","qid":"199074","title":"Ubuntu Security Notification for containerd Vulnerabilities (USN-5776-1)"},{"cve":"CVE-2022-31030","qid":"282822","title":"Fedora Security Update for containerd (FEDORA-2022-725ac93b48)"},{"cve":"CVE-2022-31030","qid":"282823","title":"Fedora Security Update for containerd (FEDORA-2022-1da581ac6d)"},{"cve":"CVE-2022-31030","qid":"353953","title":"Amazon Linux Security Advisory for containerd : ALAS-2022-1600"},{"cve":"CVE-2022-31030","qid":"353959","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2022-020"},{"cve":"CVE-2022-31030","qid":"353961","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2022-019"},{"cve":"CVE-2022-31030","qid":"354454","title":"Amazon Linux Security Advisory for containerd : ALAS2022-2022-088"},{"cve":"CVE-2022-31030","qid":"354470","title":"Amazon Linux Security Advisory for containerd : ALAS2022-2022-156"},{"cve":"CVE-2022-31030","qid":"354710","title":"Amazon Linux Security Advisory for containerd : ALAS2022-2022-210"},{"cve":"CVE-2022-31030","qid":"355261","title":"Amazon Linux Security Advisory for containerd : ALAS2023-2023-079"},{"cve":"CVE-2022-31030","qid":"502260","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2022-31030","qid":"504648","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2022-31030","qid":"6140336","title":"AWS Bottlerocket Security Update for containerd (GHSA-j6hv-fhh3-c96f)"},{"cve":"CVE-2022-31030","qid":"672148","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-2427)"},{"cve":"CVE-2022-31030","qid":"672156","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-2414)"},{"cve":"CVE-2022-31030","qid":"672674","title":"EulerOS Security Update for containerd (EulerOS-SA-2023-1406)"},{"cve":"CVE-2022-31030","qid":"672692","title":"EulerOS Security Update for containerd (EulerOS-SA-2023-1421)"},{"cve":"CVE-2022-31030","qid":"673082","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2023-2142)"},{"cve":"CVE-2022-31030","qid":"673102","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2023-2190)"},{"cve":"CVE-2022-31030","qid":"710846","title":"Gentoo Linux containerd Multiple Vulnerabilities (GLSA 202401-31)"},{"cve":"CVE-2022-31030","qid":"752333","title":"SUSE Enterprise Linux Security Update for containerd, docker and runc (SUSE-SU-2022:2341-1)"},{"cve":"CVE-2022-31030","qid":"902176","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (9912)"},{"cve":"CVE-2022-31030","qid":"902180","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (9918)"},{"cve":"CVE-2022-31030","qid":"902375","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (9918-1)"},{"cve":"CVE-2022-31030","qid":"902498","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (9912-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-31030","STATE":"PUBLIC","TITLE":"containerd CRI plugin: Host memory exhaustion through ExecSync"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"containerd","version":{"version_data":[{"version_value":"< 1.5.13"},{"version_value":">= 1.6.0, < 1.6.6"}]}}]},"vendor_name":"containerd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"references":{"reference_data":[{"name":"https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf","refsource":"CONFIRM","url":"https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf"},{"name":"https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382","refsource":"MISC","url":"https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382"},{"refsource":"MLIST","name":"[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync","url":"http://www.openwall.com/lists/oss-security/2022/06/07/1"},{"refsource":"DEBIAN","name":"DSA-5162","url":"https://www.debian.org/security/2022/dsa-5162"},{"refsource":"FEDORA","name":"FEDORA-2022-725ac93b48","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/"},{"refsource":"FEDORA","name":"FEDORA-2022-1da581ac6d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/"}]},"source":{"advisory":"GHSA-5ffw-gxpp-mxpf","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-06-09 14:15:00","lastModifiedDate":"2024-01-31 13:15:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:N/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionEndExcluding":"1.5.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionStartIncluding":"1.6.0","versionEndExcluding":"1.6.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}