Security Audit of CRI-O Runtime

X41 performed a source code audit of CRI-O, the Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface, sponsored and organized once again by the Open Source Technology Improvement Fund. The report is released now that the development team addressed the issues identified.

The source code in scope for this audit was CRI-O commit 301eb72.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-OSTIF-CRI-O-Audit-Public-Report-2025-12-03.pdf
OSTIF blog post: https://ostif.org/cri-o-audit-complete/

CRI-O

The CRI-O runtime is an implementation of the Kubernetes Container Runtime Interface (CRI) compliant with the Open Container Initiative (OCI) and responsible for creating, running, and supervising container workloads on Kubernetes nodes.

Audit Results

During the audit, X41 identified no vulnerabilities. Instead, two informational findings were spotted.

One concerns the use of outdated dependencies that include known vulnerabilities. While it could not be conclusively verified whether these issues are directly exploitable through CRI-O, the fact that the affected component involves runc — a critical dependency in the container runtime stack — warrants prompt remediation. Updating the dependency to the latest upstream version is recommended to mitigate potential exposure and ensure consistency with current security patches. X41 additionally recommends establishing a robust update process for dependencies to ensure relevant security updates are identified and applied in a timely fashion.

The second informational finding pertains to an input validation weakness in the sandbox configuration of CRI-O. While this issue does not present a direct exploitation path, addressing it is recommended as a defense-in-depth measure to improve the robustness and reliability of container runtime isolation.

The project also performs fuzzing as part of CNCF’s OSS-Fuzz initiative. X41 recommends introducing targeted, high-quality seed corpora, derived from real-world workloads, to substantially improve exploration depth, accelerate coverage expansion, and reduce the likelihood of long plateaus during fuzzing campaigns.

Conclusion

Overall, the quality of the code base is outstanding. The functionality exposed through the APIs is implemented in a deliberately minimalistic fashion, effectively minimizing the potential attack surface. The use of Go’s native constructs for structured parameter handling and safe data (un)marshalling reflects a high level of proficiency in secure coding practices within the Go ecosystem. While improvements to the fuzzing efforts are recommended, X41 is left with the impression of a robust, intentionally engineered code base that demonstrates a clear and consistent security-oriented design philosophy.

If you are interested in working with us on such projects in the future, remote or in-office, ping us!