CVE-2021-43816 is a vulnerability affecting containerd, an open source container runtime widely used as the container runtime interface (CRI) in Kubernetes and other container orchestration platforms. The issue specifically impacts containerd versions from 1.5.0 up to, but not including, 1.5.9. The vulnerability arises in environments where SELinux is enabled, such as on Enterprise Linux 8 distributions (CentOS, RHEL), Fedora, and SUSE MicroOS. Under these conditions, an unprivileged pod scheduled on a node can exploit the way containerd handles SELinux relabeling of hostPath volume mounts. By mounting privileged, regular files from the host filesystem into the container at specific in-container locations—namely /etc/hosts, /etc/hostname, or /etc/resolv.conf—the container process label is indiscriminately applied to these files. This relabeling effectively elevates the container's permissions, granting it complete read and write access to these host files, except for deletion. This behavior violates the principle of least privilege and allows containers that should be restricted to gain unauthorized access to sensitive host files. The vulnerability is classified under CWE-281, which concerns improper preservation of permissions. Although no known exploits have been reported in the wild, the flaw presents a significant risk in multi-tenant or shared environments where untrusted containers run. The issue was resolved in containerd version 1.5.9, and users are strongly advised to upgrade to this or later versions to mitigate the risk.

For European organizations, especially those relying on containerized workloads orchestrated via Kubernetes or similar platforms using containerd as the runtime, this vulnerability poses a risk to the confidentiality and integrity of host system files. Unauthorized read/write access to critical host files like /etc/hosts, /etc/hostname, and /etc/resolv.conf can lead to container escape scenarios, privilege escalation, or manipulation of network configurations, potentially disrupting service availability or enabling lateral movement within the infrastructure. Industries with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, could face compliance violations and operational risks if attackers exploit this flaw. The impact is magnified in environments with multi-tenant clusters or where untrusted workloads are scheduled, as malicious containers could leverage this vulnerability to compromise the host or other containers. Although deletion is not permitted, the ability to modify these files can still cause significant disruption or facilitate further attacks. Given the widespread adoption of containerd in cloud-native deployments across Europe, the vulnerability could affect a broad range of organizations if left unpatched.

1. Immediate upgrade of containerd to version 1.5.9 or later is the primary mitigation step to ensure the vulnerability is patched. 2. Review and restrict the use of hostPath volumes in Kubernetes pod specifications, especially avoiding mounting sensitive host files like /etc/hosts, /etc/hostname, or /etc/resolv.conf. Implement admission controller policies or Pod Security Policies (PSPs) to prevent such mounts. 3. Enforce strict SELinux policies and verify that container runtimes correctly apply SELinux labels without indiscriminate relabeling. 4. Employ runtime security tools that monitor container behavior and file system access to detect anomalous attempts to access or modify host files. 5. Limit scheduling of untrusted or less-trusted workloads on nodes where sensitive data or critical services run. 6. Conduct regular security audits of container configurations and volume mounts to identify and remediate risky practices. 7. Educate DevOps and security teams about the risks of hostPath volume mounts and SELinux interactions in container environments to prevent misconfigurations.