CVE-2026-53488
published 2026-06-21CVE-2026-53488: A vulnerability has been found in containerd up to 1.7.32/2.0.9/2.1.8/2.2.4/2.3.1 and classified as critical. Affected by this issue is some unknown…
high7.5
A vulnerability has been found in containerd up to 1.7.32/2.0.9/2.1.8/2.2.4/2.3.1 and classified as critical. Affected by this issue is some unknown functionality of the component CRI Plugin. This manipulation causes improper access controls.
This vulnerability is handled as CVE-2026-53488. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | containerd_containerd | >= 1.7.0 < 1.7.33 | 1.7.33 |
| github.com | containerd_containerd_v2 | >= 2.0.0 < 2.0.10 | 2.0.10 |
| github.com | containerd_containerd_v2 | >= 2.1.0 < 2.1.9 | 2.1.9 |
| github.com | containerd_containerd_v2 | >= 2.2.0 < 2.2.5 | 2.2.5 |
| github.com | containerd_containerd_v2 | >= 2.3.0 < 2.3.2 | 2.3.2 |
| ubuntu | containerd | — | — |
| ubuntu | containerd-app | — | — |
| ubuntu | containerd-stable | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
containerd up to 2.3.1 CRI Plugin access control (Nessus ID 321802 / WID-SEC-2026-2009)
vuldb·2026-06-21
CVE-2026-53488 [CRITICAL] containerd up to 2.3.1 CRI Plugin access control (Nessus ID 321802 / WID-SEC-2026-2009)
A vulnerability has been found in containerd up to 1.7.32/2.0.9/2.1.8/2.2.4/2.3.1 and classified as critical. Affected by this issue is some unknown functionality of the component CRI Plugin. This manipulation causes improper access controls.
This vulnerability is handled as CVE-2026-53488. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
ghsa·2026-06-19
CVE-2026-53488 [HIGH] CWE-74 containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
### Impact
A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations.
### Patches
This bug has been fixed in the following containerd versions:
* 2.3.2
* 2.2.5
* 2.1.9
* 2.0.10
* 1.7.33
Users should update to these versions to resolve the issue.
### Workarounds
Ensure that only trusted images are used.
### Credits
The containerd project would like to thank Anthropic Research, in collaboration with Claude, the GKE Security Team usi
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-53492 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-33814 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to container
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-47262 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published