Affected by GO-2025-4100
and 7 other vulnerabilities
GO-2025-4100: containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
GO-2025-4108: containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
GO-2026-5064: containerd CRI checkpoint restore CDI annotation smuggling in github.com/containerd/containerd
GO-2026-5338: containerd: CRI checkpoint import allows local image tag poisoning in github.com/containerd/containerd
GO-2026-5378: containerd user ID handling bypass allows runAsNonRoot evasion in github.com/containerd/containerd
GO-2026-5475: containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd
GO-2026-5622: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore in github.com/containerd/containerd
GO-2026-5758: containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull in github.com/containerd/containerd
WithProfile receives the name of a file stored on disk comprising a json
formatted seccomp profile, as specified by the opencontainers/runtime-spec.
The profile is read from the file, unmarshaled, and set to the spec.
FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
since Go 1.21.