CVE-2026-47262
published 2026-06-25CVE-2026-47262: Title: containerd vulnerabilities Summary: Several security issues were fixed in containerd. It was discovered that containerd incorrectly handled HTTP/2…
high7.5
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cache and
execute arbitrary code in other pods. This issue only affected Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-50195)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. (CVE-2026-53488)
Yuming Zhang, Song Li, Sangwon Ryu, Henry Beberman, Robert Prast, Kyle
Elliott and Zhenchen Wang discovered that containerd incorrectly validated
symlinked paths when restoring container checkpoints. An attacker could
possibly use this issue to read arbitrary files on the host, resulting in
information disclosure. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-53489)
Robert Prast discovered that containerd incorrectly trusted device
interface annotations when restoring container checkpoints. An attacker
could possibly use this issue to bypass resource allocation restrictions
and inject devices or host mounts into a container. This issue only
affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-53492)
Instructions: After a st
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | containerd_containerd | >= 1.7.0 < 1.7.33 | 1.7.33 |
| github.com | containerd_containerd_v2 | >= 2.0.0 < 2.0.10 | 2.0.10 |
| github.com | containerd_containerd_v2 | >= 2.1.0 < 2.1.9 | 2.1.9 |
| github.com | containerd_containerd_v2 | >= 2.2.0 < 2.2.5 | 2.2.5 |
| github.com | containerd_containerd_v2 | >= 2.3.0 < 2.3.2 | 2.3.2 |
| ubuntu | containerd | — | — |
| ubuntu | containerd-app | — | — |
| ubuntu | containerd-stable | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-53492 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-33814 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to container
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-47262 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
VulDB
containerd up to 2.3.1 Image denial of service (Nessus ID 321801 / WID-SEC-2026-2009)
vuldb·2026-06-21
CVE-2026-47262 [LOW] containerd up to 2.3.1 Image denial of service (Nessus ID 321801 / WID-SEC-2026-2009)
A vulnerability was found in containerd up to 1.7.32/2.0.9/2.1.8/2.2.4/2.3.1. It has been declared as problematic. This issue affects some unknown processing of the component Image Handler. Executing a manipulation can lead to denial of service.
The identification of this vulnerability is CVE-2026-47262. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
containerd image-triggered runtime DoS via unbounded group parsing
ghsa·2026-06-19
CVE-2026-47262 [MEDIUM] CWE-400 containerd image-triggered runtime DoS via unbounded group parsing
containerd image-triggered runtime DoS via unbounded group parsing
### Impact
A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components.
### Patches
This bug has been fixed in the following containerd versions:
* 2.3.2
* 2.2.5
* 2.1.9
* 2.0.10
* 1.7.33
Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images or schedule pods.
### Credits
The
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published