The containerd community recently discovered vulnerability CVE-2022-31030, which is related to the Container Runtime Interface (CRI) implementation of containerd. This vulnerability allows the programs in a container to consume memory without limit during the invocation of the ExecSync API, which causes containerd to consume all available memory of the node on which the container runs. Attackers can exploit this vulnerability to launch DoS attacks. DoS attacks can be launched when the system uses the exec mechanism to run probes or lifecycle hooks.
CVE-2022-31030 is rated as medium severity.
First published: July 5, 2022
Updated: May 19, 2025 (with refined descriptions of the affected scope)
Affected scope
The following containerd versions are affected:
≤ V1.5.12
v1.6.0 - v1.6.5
This vulnerability is fixed in the following containerd versions:
v1.5.13
v1.6.6
Only the nodes in the node pools that use the containerd runtime are affected by this vulnerability.
For more information about this vulnerability, see CVE-2022-31030.
Mitigation
Perform the following operations to update the containerd version for the existing nodes in your cluster and revoke the permissions to deploy applications from untrusted users.
Run the
kubectl draincommand to drain the node that you need to update.Run the
systemctl stop kubeletcommand to stop kubelet on the node.Run the
systemctl stop containerdcommand to stop containerd on the node.Install the latest RPM package of containerd.
Run the
systemctl start containerdcommand to start containerd.Run the
systemctl start kubeletcommand to start kubelet.After you update the containerd version for the node, run the
kubectl uncordoncommand to change the node to the Schedulable state.If you want to update the containerd version for other nodes, repeat Step 2 and the following steps.