### Impact
A bug was found in containerd’s CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd’s CRI implementation; `ExecSync` may be used when running probes or when executing processes via an “exec” facility.
### Patches
This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images and commands are used.
### References
* Similar fix in cri-o’s CRI implementation https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
### Credits
The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security audit sponsored by CNCF and facilitated by OSTIF.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)
* Email us at [security@containerd.io](mailto:security@containerd.io)Read More