DEBIAN-CVE-2024-40635

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2024-40635

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-40635.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-40635

Upstream

CVE-2024-40635

Published

2025-03-17T22:15:13Z

Modified

2025-09-30T05:19:20.087724Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References

https://security-tracker.debian.org/tracker/CVE-2024-40635

Affected packages

Debian:11 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.13~ds1-1~deb11u5

Affected versions

1.*

1.4.5~ds1-2

1.4.5~ds1-2+deb11u1

1.4.12~ds1-1~deb11u1

1.4.13~ds1-1~deb11u1

1.4.13~ds1-1~deb11u2

1.4.13~ds1-1~deb11u3

1.4.13~ds1-1~deb11u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.20~ds1-1

1.6.20~ds1-1+deb12u1

1.6.20~ds1-2

1.6.24~ds1-1

1.6.24~ds1-2

1.7.18~ds1-1

1.7.18~ds1-2

1.7.18~ds1-3

1.7.18~ds1-4

1.7.18~ds1-5

1.7.18~ds1-6

1.7.18~ds2-1

1.7.20~ds2-1

1.7.20~ds2-2

1.7.21~ds2-1

1.7.22~ds1-1

1.7.23~ds1-1

1.7.23~ds1-2

1.7.23~ds1-3

1.7.23~ds2-1

1.7.24~ds1-1

1.7.24~ds1-2

1.7.24~ds1-3

1.7.24~ds1-4

1.7.24~ds1-5

1.7.24~ds1-6

1.7.24~ds1-7

1.7.24~ds1-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.24~ds1-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.24~ds1-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}