{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "CRI gRPC runtime endpoint /run/containerd/containerd.sock: CreateContainer imports an attacker-supplied checkpoint archive, then StartContainer runs a later victim container from the poisoned local image tag",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "docker privileged runner",
    "containerd v2.2.2 vulnerable CRI plugin",
    "containerd v2.2.5 fixed CRI plugin negative control",
    "runc",
    "CNI ptp",
    "local registry:2"
  ],
  "proof_artifacts": [
    "logs/exploit_evidence.txt",
    "logs/vulnerable_v222_exploit_evidence.txt",
    "logs/vulnerable_v222_exploit_stdout.log",
    "logs/vulnerable_v222_containerd.log",
    "logs/vulnerable_v222_ctr_images.txt",
    "logs/vulnerable_v222_crictl_ps.txt",
    "logs/vulnerable_v222_podlogs.txt",
    "logs/fixed_v225_exploit_evidence.txt",
    "logs/fixed_v225_exploit_stdout.log",
    "logs/fixed_v225_containerd.log",
    "logs/fixed_v225_ctr_images.txt",
    "logs/fixed_v225_crictl_ps.txt",
    "logs/source/patch_check.txt",
    "logs/reproduction_steps.log"
  ],
  "notes": "Confirmed: vulnerable containerd v2.2.2 CRI checkpoint import poisoned a victim image tag and a subsequent CRI StartContainer executed attacker-controlled image code; fixed containerd v2.2.5 did not create the poisoned tag and no attacker code executed."
}
