CVE-2026-53488

EUVD-2026-40860
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
containerd
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
2.1.9+ds1-1
fixed
sid
2.1.9+ds1-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
containerd
Amazon Linux 2023
0:2.2.4-1.amzn2023.0.3
fixed
containerd-debuginfo
Amazon Linux 2023
0:2.2.4-1.amzn2023.0.3
fixed
containerd-debugsource
Amazon Linux 2023
0:2.2.4-1.amzn2023.0.3
fixed
containerd-stress
Amazon Linux 2023
0:2.2.4-1.amzn2023.0.3
fixed
containerd-stress-debuginfo
Amazon Linux 2023
0:2.2.4-1.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
containerd2
Azure Linux 3.0
0:2.2.4-3.azl3
fixed