SB2026061902 - Multiple vulnerabilities in containerd
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-53492)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass device allocation controls and inject arbitrary CDI configuration into a restored container.
The vulnerability exists due to improper input validation and incorrect authorization in containerd CRI checkpoint restore handling when restoring a container from an untrusted checkpoint image. A remote user can create a pod and restore it from a crafted checkpoint image to bypass device plugin enforcement and inject arbitrary CDI edits into the restored container.
Only nodes with CDI enabled and a matching host CDI specification for the requested device are vulnerable.
2) Input validation error (CVE-ID: CVE-2026-53488)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary commands on the host.
The vulnerability exists due to improper input validation in the containerd CRI plugin when propagating image configuration labels to containers. A remote attacker can supply a crafted image with malicious labels to execute arbitrary commands on the host.
Exploitation requires a plugin that consumes container labels for some operations.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2026-50195)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to insufficient verification of data authenticity in the CRI checkpoint import process when processing image references in a checkpoint image's configuration. A local user can create a crafted checkpoint image to poison the local image cache and execute arbitrary code.
Exploitation requires permissions to create pods, and affected pods must later use the poisoned tag with an IfNotPresent or Never pull policy on the same node.
4) UNIX symbolic link following (CVE-ID: CVE-2026-53489)
CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information from the host.
The vulnerability exists due to symlink following in the CRI plugin checkpoint restore handling of container.log when restoring a checkpoint image. A remote attacker can supply a crafted checkpoint image containing a symlinked path to disclose sensitive information from the host.
The issue can expose host files via kubectl logs.
5) Resource exhaustion (CVE-ID: CVE-2026-47262)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in group parsing when creating a container from a maliciously crafted image. A remote user can supply a specially crafted image to cause a denial of service.
Successful exploitation can exhaust memory and trigger an out-of-memory kill of the containerd process, making the runtime API unavailable.
Remediation
Install update from vendor's website.
References
- https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc
- https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp
- https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574
- https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388
- https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq