CVE-2024-40635

CVE-2024-40635 is an integer overflow vulnerability (CWE-190) in containerd, an open-source container runtime. It affects versions prior to 1.6.38, 1.7.27, and 2.0.4. The flaw occurs when containers are launched with a User specified as a UID:GID larger than the maximum 32-bit signed integer, triggering an overflow that causes the container to run as root (UID 0) rather than the intended non-root user, leading to unexpected privilege escalation behavior in environments enforcing non-root execution.

Exploitation requires local access (AV:L), low complexity (AC:L), and high privileges (PR:H), with no user interaction needed (UI:N). A privileged local attacker can import and launch a container image with an oversized UID:GID value, causing the overflow and allowing the container to execute with root privileges. This achieves low confidentiality and integrity impacts (C:L/I:L/A:N) but in a changed scope (S:C), as scored at CVSS 4.6 (CVSS:3.1).

Patches addressing the issue are available in containerd commits 05044ec0a9a75232cad458027ca83437aae3f4da, 1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20, and cf158e884cfe4812a6c371b59e4ea9bc4c46e51a, fixing the vulnerability in versions 1.6.38, 1.7.27, and 2.0.4. The containerd security advisory GHSA-265r-hfxg-fhmg details the issue, recommending upgrades. As a workaround, use only trusted images and limit image import permissions to trusted users. A Debian LTS announcement provides additional distribution-specific guidance.