A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd's CRI implementation