CVE-2021-41103 in containerd
Summary
by MITRE • 10/04/2021
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/01/2025
The vulnerability identified as CVE-2021-41103 affects containerd, an open source container runtime designed for simplicity, robustness, and portability in containerized environments. This security flaw represents a significant privilege escalation risk that undermines the fundamental security boundaries typically established between host systems and containerized applications. The vulnerability stems from inadequate permission controls within containerd's handling of container root directories and associated plugins, creating exploitable pathways for unprivileged Linux users to gain unauthorized access to containerized environments.
The technical implementation of this vulnerability exploits the improper permission model applied to container root directories and plugins within containerd's architecture. When containers contain executable programs with extended permission bits such as setuid, these programs become accessible to unprivileged host users who can discover and execute them. The vulnerability becomes particularly dangerous when the user identifier of an unprivileged Linux user on the host system matches the file owner or group permissions inside a container, allowing for unauthorized file discovery, reading, and modification operations. This cross-uid collision creates a direct attack vector that bypasses normal container isolation mechanisms.
The operational impact of CVE-2021-41103 extends beyond simple privilege escalation to encompass potential data compromise and system integrity violations. Attackers can leverage this vulnerability to traverse directory contents within container environments, potentially accessing sensitive application data, configuration files, or system resources. The ability to execute setuid programs within containers creates opportunities for attackers to escalate privileges beyond the initial unprivileged access, potentially leading to full system compromise. This vulnerability directly violates the principle of least privilege and container isolation that containerd is designed to enforce, making it particularly concerning for production environments.
Security mitigations for CVE-2021-41103 align with established cybersecurity practices and address the core permission flaws identified in the vulnerability. The recommended solution involves updating to containerd versions 1.4.11 or 1.5.7, which contain patches that properly enforce directory permissions and restrict access controls. Organizations should also implement immediate directory permission updates on container bundle directories as a temporary mitigation measure. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically targeting container escape and credential access methods. Additionally, this vulnerability maps to CWE-276, which addresses improper file permissions, and CWE-732, which covers inadequate permissions for critical resources. Organizations should also consider implementing host-based access controls, limiting user access to trusted personnel, and monitoring for unauthorized file access patterns to prevent exploitation of this vulnerability.