CVE-2020-15257
CVE-2020-15257 is a medium-severity vulnerability in Linuxfoundation Containerd with a CVSS 3.x base score of 5.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-669.
Key facts
- Severity: Medium (CVSS 3.x base score 5.2)
- CVSS v2: 3.6
- EPSS exploit prediction: 3% (87th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-669
- Affected product: Linuxfoundation Containerd
- Published:
- Last modified:
Description
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
Frequently asked questions
- What is CVE-2020-15257?
- containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
- How severe is CVE-2020-15257?
- CVE-2020-15257 has a CVSS 3.x base score of 5.2, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2020-15257 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (87th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-15257?
- CVE-2020-15257 primarily affects Linuxfoundation Containerd. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-15257?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-15257 published?
- CVE-2020-15257 was published on 2020-12-01 and last updated on 2026-06-17.
References
- https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad
- https://github.com/containerd/containerd/releases/tag/v1.4.3
- https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/
- https://security.gentoo.org/glsa/202105-33
- https://www.debian.org/security/2021/dsa-4865
Affected products (3)
- cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Linuxfoundation Containerd
- CVE-2026-50195 — Critical (CVSS 9.9): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the…
- CVE-2026-53492 — Critical (CVSS 9.6): containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation…
- CVE-2026-53488 — High (CVSS 8.8): containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI…
- CVE-2021-43816 — High (CVSS 8.0): containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or…
- CVE-2026-46680 — High (CVSS 7.8): containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers…
- CVE-2021-41103 — High (CVSS 7.8): containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was…
All CVEs affecting Linuxfoundation Containerd →
Other CWE-669 vulnerabilities
- CVE-2021-30120 — Critical (CVSS 9.9): Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in…
- CVE-2025-67895 — Critical (CVSS 9.8): Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you…
- CVE-2022-4446 — Critical (CVSS 9.8): PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.
- CVE-2020-24683 — Critical (CVSS 9.8): The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which…
- CVE-2020-5800 — Critical (CVSS 9.8): The Eat Spray Love mobile app for both iOS and Android contains logic that allows users to bypass authentication and…
- CVE-2020-15892 — Critical (CVSS 9.8): An issue was discovered in apply.cgi on D-Link DAP-1520 devices before 1.10b04Beta02. Whenever a user performs a login…