CVE-2022-23648 in containerd
Summary
by MITRE • 03/03/2022
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2022-23648 represents a critical privilege escalation and information disclosure flaw within containerd's Container Runtime Interface implementation. This issue affects containerd versions prior to 1.6.1, 1.5.10, and 1.14.12, exposing systems to potential unauthorized access to host filesystem resources. The flaw specifically impacts containers launched through containerd's CRI implementation on Linux platforms, making it particularly concerning for Kubernetes environments where containerd serves as the default container runtime. The vulnerability stems from improper handling of image configuration during container initialization, creating a path for maliciously crafted container images to gain unintended read access to host directories and files.
The technical nature of this vulnerability aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, where the container runtime fails to properly restrict file system access paths. The flaw allows containers to access read-only copies of arbitrary files and directories on the host system, effectively bypassing traditional security controls. This includes potential circumvention of Kubernetes Pod Security Policies that are designed to enforce access restrictions and protect sensitive host resources. The vulnerability manifests when container images contain specially crafted configuration elements that exploit path traversal mechanisms within containerd's CRI implementation, enabling attackers to map host filesystem locations into containerized environments without proper authorization.
Operationally, this vulnerability poses significant risks to containerized environments, particularly in multi-tenant Kubernetes clusters where security isolation is paramount. Attackers could leverage this flaw to extract sensitive information from host systems including configuration files, secrets, private keys, and other confidential data stored on the underlying infrastructure. The impact extends beyond simple information disclosure as it represents a fundamental breakdown in container isolation principles, potentially allowing attackers to gather intelligence about the host environment, network configurations, and system state. This vulnerability particularly affects environments where containers are deployed with elevated privileges or where security policies are enforced through container runtime mechanisms rather than host-level controls.
Mitigation strategies should focus on immediate version upgrades to containerd 1.6.1, 1.5.10, or 1.14.12, depending on the current deployment version. Organizations should implement comprehensive patch management processes to ensure all containerized environments are updated promptly. Additional protective measures include implementing strict image scanning protocols to identify potentially malicious container configurations, enhancing monitoring of container runtime activities for suspicious file access patterns, and reviewing existing Pod Security Policies to ensure they provide adequate protection against runtime-level vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1059 - Command and Scripting Interpreter and T1565 - Data Manipulation, as it enables attackers to access and potentially manipulate host data through container runtime mechanisms. Organizations should also consider implementing runtime security controls such as container image integrity verification and host-based intrusion detection systems to detect and prevent exploitation attempts.