EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in containerd, specifically in versions 1.7.0 to 1.7.32, 2.0.0 to 2.0.9, 2.1.0 to 2.1.8, 2.2.0 to 2.2.4, and 2.3.0 to 2.3.1, which can lead to remote code execution and arbitrary command execution on the host, posing a significant business risk and impact.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in containerd, specifically in versions 1.7.0 to 1.7.32, 2.0.0 to 2.0.9, 2.1.0 to 2.1.8, 2.2.0 to 2.2.4, and 2.3.0 to 2.3.1, which can lead to remote code execution and arbitrary command execution on the host, posing a significant business risk and impact.[emaillocker id="1283"]
• CVE-2026-53488 with a CVSS score of 8.7 – This vulnerability is a result of the CRI plugin propagating labels from an image config to a container without validation, allowing an attacker to execute an arbitrary command on the host, and requires the ability to pull an image with a malicious label.
• CVE-2026-53492 with a CVSS score of 8.4 – This vulnerability is due to containerd's CRI implementation improperly trusting CDI annotations found within untrusted checkpoint image metadata during container restoration, allowing a user to bypass standard Kubernetes resource allocation and device plugin enforcement.
The identified vulnerabilities pose a significant risk to businesses, as they can be exploited to gain unauthorized access to sensitive data and systems, resulting in potential data breaches, financial losses, and reputational damage, and it is essential to take immediate action to address these vulnerabilities to prevent potential exploitation and minimize business consequences.
RECOMMENDATION:
We recommend you to update containerd to version 1.7.33, 2.0.10, 2.1.9, 2.2.5, or 2.3.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xhf5-7wjv-pqxp
https://github.com/advisories/GHSA-33vj-92qq-66hc