CVE-2022-23471 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting containerd, an open-source container runtime widely used in container orchestration environments such as Kubernetes. The issue arises in containerd's Container Runtime Interface (CRI) stream server component, which handles container input/output streams, including terminal (TTY) resize events. When a container is launched with a TTY requested, the stream server spawns a goroutine to manage terminal resize events. However, if the containerized process fails to start properly—due to reasons such as an invalid command—the goroutine becomes blocked, waiting to send resize events without a corresponding receiver. This results in a memory leak that can progressively exhaust the host system's memory resources. The vulnerability affects containerd versions prior to 1.5.16 and versions from 1.6.0 up to but not including 1.6.12. The issue has been addressed in containerd releases 1.5.16 and 1.6.12. Since containerd is a core component in Kubernetes and other container management tools, this vulnerability can be triggered when untrusted or malformed container images or commands are executed, especially if users with container execution privileges are not properly restricted. Although no known exploits have been reported in the wild, the vulnerability poses a risk of denial-of-service (DoS) through resource exhaustion on hosts running vulnerable containerd versions, potentially impacting containerized workloads and the underlying infrastructure's stability.

For European organizations, the impact of this vulnerability can be significant, particularly for enterprises relying heavily on containerized environments orchestrated by Kubernetes or similar platforms using containerd. Memory exhaustion on host systems can lead to degraded performance or complete denial of service, affecting critical business applications and services. This can disrupt operations, cause downtime, and potentially lead to data loss if containers are abruptly terminated. Organizations in sectors such as finance, healthcare, telecommunications, and critical infrastructure, which often deploy containerized microservices at scale, may experience cascading effects impacting service availability and compliance with regulatory requirements. Additionally, the vulnerability could be exploited internally by malicious or compromised users with container execution privileges to disrupt services or evade detection by causing instability. The absence of known exploits suggests that the threat is currently theoretical, but the ease of triggering the memory leak through faulty commands or untrusted images means that organizations with lax access controls or insufficient image vetting are at higher risk.

To mitigate this vulnerability, European organizations should prioritize upgrading containerd to versions 1.5.16 or 1.6.12 or later, where the issue is fixed. For environments where immediate upgrades are not feasible, organizations should implement strict access controls to ensure that only trusted users have permissions to execute commands within running containers. This includes enforcing role-based access control (RBAC) policies in Kubernetes and limiting container runtime privileges. Additionally, organizations should enforce rigorous image security policies, including image signing, vulnerability scanning, and restricting the use of untrusted or unsigned container images. Monitoring container runtime metrics and host memory usage can help detect abnormal resource consumption early. Implementing runtime security tools that can detect and alert on anomalous container behavior, such as unexpected process failures or resource leaks, will further reduce risk. Finally, organizations should review and harden container startup commands and scripts to prevent launching containers with faulty or malicious commands that could trigger the vulnerability.