containerd Fuzzing Audit Uncovers Vulnerability and Enhances Cloud‑Native Security

The containerd project announced the completion of a thorough fuzzing audit, adding 28 fuzzers that cover a wide range of container runtime functionalities. The audit, part of a larger CNCF initiative to improve cloud security through fuzzing, was performed by Ada Logics during 2021‑2022.

Containerd is a high‑level container runtime that originated at Docker in 2014, later donated to CNCF in 2017. It manages image transfer, metadata, and implements the Kubernetes CRI, serving as the underlying runtime for many Kubernetes deployments.

Fuzzing, a technique for discovering software bugs, requires a fuzzing engine and a test harness. Initially containerd used the go‑fuzz engine; during the audit the native Go fuzz engine was adopted, resulting in both go‑fuzz and native Go harnesses.

The audit proceeded in two phases. In the first phase, auditors added 28 fuzzers to the CNCF fuzzing repository, targeting areas such as the CRI endpoint, image import, snapshot diff, content store, and filter parsing. In the second phase, the fuzzers were migrated to the containerd repository, where OSS‑Fuzz continuously runs them on the latest main branch, accumulating nearly 40,000 hours of fuzzing time.

A key tool in the fuzzing suite is go-fuzzing-headers , which converts raw fuzz inputs into structured data for the CRI fuzzer. Example code demonstrates how a testcase is consumed to populate a runtime.CreateContainerRequest and printed.

package main

import (
    "fmt"
    fuzz "github.com/AdaLogics/go-fuzz-headers"
    runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
)

func main() {
    testcase := []byte{0, 0, 0, 13, 112, 111, 100, 115, 97, 110, 100, 98, 111, 120, 49, 50, 51}
    ff := fuzz.NewConsumer(testcase)
    r := &runtime.CreateContainerRequest{}
    ff.GenerateStruct(r)
    fmt.Printf("%+v\n", r)
}

The audit uncovered four unique issues, three within containerd and one in a third‑party dependency. The most critical was an OCI image import flaw that could cause a denial‑of‑service, assigned CVE‑2023‑25153 and fixed in containerd 1.5.18 and 1.6.18.

Overall, only four problems were found from 28 fuzzers, underscoring the high quality and maintainability of the containerd codebase. The authors thank the containerd maintainers, contributors, and the CNCF community for their support.

Interested contributors can join the discussion on the CNCF Slack #containerd‑dev channel or attend the bi‑monthly CNCF project meetings.