SUSE update for containerd

1) Incorrect default permissions

EUVDB-ID: #VU118141

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-25621

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions set for critical files, such as /var/lib/containerd (0711 instead of 0700), /run/containerd/io.containerd.grpc.v1.cri (0755 instead of 0700), and /run/containerd/io.containerd.sandbox.controller.v1.shim (0711 instead of 0700) and for the temp directory. A local user can escalate privileges on the system.

Mitigation

Update the affected package containerd to the latest version.

Vulnerable software versions

Basesystem Module: 15-SP7

Containers Module: 15-SP6 - 15-SP7

SUSE Linux Enterprise Real Time 15: SP6 - SP7

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP7

SUSE Linux Enterprise Server 15: SP3 - SP7

SUSE Linux Enterprise Desktop 15: SP7

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP5: LTSS

SUSE Linux Enterprise Server 15 SP3: LTSS

SUSE Linux Enterprise Server 15 SP4: LTSS

openSUSE Leap: 15.6

SUSE Linux Enterprise Micro: 5.2 - 5.5

SUSE Linux Enterprise Micro for Rancher: 5.2 - 5.4

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Enterprise Storage: 7.1

containerd-devel: before 1.7.29-150000.128.1

containerd: before 1.7.29-150000.128.1

containerd-ctr: before 1.7.29-150000.128.1

CPE2.3

• cpe:2.3:o:suse:basesystem_module:15-SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:containers_module:15-SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:containers_module:15-SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp5:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp3:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp4:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:a:suse:containerd-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:containerd:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:containerd-ctr:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20254288-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU118176

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-64329

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists in CRI Attach implementation due to goroutine leaks. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack against the host.

Mitigation

Update the affected package containerd to the latest version.

Vulnerable software versions

Basesystem Module: 15-SP7

Containers Module: 15-SP6 - 15-SP7

SUSE Linux Enterprise Real Time 15: SP6 - SP7

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP7

SUSE Linux Enterprise Server 15: SP3 - SP7

SUSE Linux Enterprise Desktop 15: SP7

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP5: LTSS

SUSE Linux Enterprise Server 15 SP3: LTSS

SUSE Linux Enterprise Server 15 SP4: LTSS

openSUSE Leap: 15.6

SUSE Linux Enterprise Micro: 5.2 - 5.5

SUSE Linux Enterprise Micro for Rancher: 5.2 - 5.4

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Enterprise Storage: 7.1

containerd-devel: before 1.7.29-150000.128.1

containerd: before 1.7.29-150000.128.1

containerd-ctr: before 1.7.29-150000.128.1

CPE2.3

• cpe:2.3:o:suse:basesystem_module:15-SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:containers_module:15-SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:containers_module:15-SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp5:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp3:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp4:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:a:suse:containerd-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:containerd:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:containerd-ctr:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20254288-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.