CVE-2021-43816 in containerdinfo

Summary

by MITRE • 01/05/2022

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/16/2025

Containerd represents a critical container runtime vulnerability identified as CVE-2021-43816 that specifically affects systems utilizing SELinux enforcement mechanisms. This vulnerability exists within containerd versions starting from v1.5.0-beta.0 when employed as the Container Runtime Interface (CRI) backing runtime, creating a significant privilege escalation vector for unprivileged pods running on nodes with SELinux enabled. The flaw manifests through improper handling of SELinux context relabeling during hostPath volume mounts, allowing containers to gain unauthorized access to sensitive system files that would normally be restricted to privileged processes.

The technical implementation of this vulnerability exploits the SELinux labeling mechanism within containerd's volume mount handling. When an unprivileged pod schedules to a node with SELinux enabled, the container runtime incorrectly processes hostPath volume mounts targeting specific system files including `/etc/hosts`, `/etc/hostname`, and `/etc/resolv.conf`. These files undergo indiscriminate relabeling to match the container's process security context, effectively bypassing the normal SELinux access controls that would normally prevent unprivileged containers from accessing these privileged locations. The vulnerability stems from the improper application of SELinux contexts during volume mount operations, where the system fails to maintain proper security boundaries between containerized processes and host system resources.

The operational impact of this vulnerability extends beyond simple information disclosure, creating a potential pathway for complete system compromise. An attacker with access to schedule unprivileged pods could leverage this flaw to gain read/write access to critical system configuration files, potentially enabling them to modify network settings, manipulate hostnames, or access sensitive host information. The vulnerability specifically allows for complete read/write access to targeted files sans deletion capabilities, providing attackers with substantial control over system configuration and potentially enabling further attack vectors. This issue directly violates the principle of least privilege enforcement that SELinux is designed to maintain, effectively creating a backdoor for privilege escalation within containerized environments.

This vulnerability maps directly to CWE-276, which describes improper privileges, and aligns with ATT&CK techniques including T1068 for exploit for privilege escalation and T1562 for implications of privilege escalation. The attack surface is particularly concerning in enterprise environments where SELinux is actively enforced, such as CentOS 8, RHEL 8, Fedora, and SUSE MicroOS systems. The resolution in containerd version 1.5.9 addresses the core issue through proper SELinux context handling during volume mount operations, ensuring that hostPath volumes maintain their original security labels and do not inadvertently grant containers elevated permissions. Organizations should prioritize immediate upgrade to version 1.5.9 or later, as the vulnerability represents a critical security risk that can be exploited by attackers with minimal privileges to achieve significant system compromise. The remediation specifically addresses the improper relabeling behavior by implementing stricter SELinux context enforcement during hostPath volume operations, restoring proper security boundaries between containerized applications and host system resources.

Responsible

GitHub, Inc.

Reservation

11/16/2021

Disclosure

01/05/2022

Moderation

accepted

CPE

ready

EPSS

0.01690

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!