CVE-2024-40635 in containerd
Summary
by MITRE • 03/18/2025
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability identified as CVE-2024-40635 affects containerd, a widely-used open-source container runtime that serves as the foundation for container orchestration platforms including docker and kubernetes. This flaw represents a critical privilege escalation issue that fundamentally undermines container security models. The vulnerability arises from improper handling of user identifiers when containers are launched with User specifications formatted as UID:GID pairs. When these identifiers exceed the maximum value of a 32-bit signed integer, specifically 2,147,483,647, the system experiences an integer overflow condition that results in the container being executed with root privileges regardless of the intended user specification.
The technical root cause of this vulnerability aligns with CWE-191, which describes integer underflow or overflow conditions, and specifically manifests as a CWE-190, integer overflow. The flaw occurs during the parsing and validation of user identifiers within containerd's runtime execution pipeline. When a container is configured to run with a UID:GID combination exceeding the 32-bit signed integer limit, the system's arithmetic operations fail to properly handle the overflow, causing the effective user ID to wrap around and default to zero, which corresponds to the root user account. This behavior fundamentally violates the principle of least privilege that containerization platforms are designed to enforce, allowing containers that should operate with restricted user permissions to gain full root access.
The operational impact of this vulnerability is severe and far-reaching across containerized environments. Systems that rely on non-root user execution for security isolation become vulnerable to privilege escalation attacks, potentially allowing malicious actors to gain complete control over host systems. The vulnerability affects multiple major versions of containerd, specifically those prior to 1.6.38, 1.7.27, and 2.0.4, indicating a widespread exposure across different release lines. This issue particularly impacts environments where security policies mandate that containers run as non-root users, such as production kubernetes clusters, cloud-native applications, and regulated environments where container security is paramount. The vulnerability could be exploited by attackers who gain the ability to specify container user IDs or who can influence image creation processes, potentially leading to complete system compromise and persistent backdoor access.
Organizations must implement immediate remediation strategies to address this vulnerability, with the primary solution being the upgrade to containerd versions 1.6.38, 1.7.27, or 2.0.4, which contain the necessary patches to properly handle large UID:GID values. The workaround recommendations emphasize the importance of image trust and access control measures, aligning with ATT&CK technique T1548.001 for privilege escalation through container manipulation. Additional mitigations should include implementing strict image validation policies, restricting user permissions for image import operations, and monitoring for unusual user ID specifications in container configurations. Security teams should also consider implementing runtime protections such as user namespace isolation and capability dropping mechanisms to minimize the potential impact even if the vulnerability is not immediately patched. The vulnerability demonstrates the critical importance of proper integer handling in security-sensitive applications and highlights the need for comprehensive testing of edge cases in container runtime environments.