Vulnerability DatabaseCVE-2026-53488
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-53488
Published:June 18, 2026
Updated:June 20, 2026
Impact A bug was found in containerd where the CRI plugin propagates labels from an image config ("LABEL" instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. Patches This bug has been fixed in the following containerd versions: * 2.3.2 * 2.2.5 * 2.1.9 * 2.0.10 * 1.7.33 Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images are used. Credits The containerd project would like to thank Anthropic Research, in collaboration with Claude, the GKE Security Team using Gemini, and Robert Prast (@robertprast) for independently discovering and responsibly disclosing this issue in accordance with the "containerd security policy" (https://github.com/containerd/project/blob/main/SECURITY.md). For more information If you have any questions or comments about this advisory: * Open an issue in "containerd" (https://github.com/containerd/containerd/issues/new/choose) * Email us at "security@containerd.io" (mailto:security@containerd.io) To report a security issue in containerd: * "Report a new vulnerability" (https://github.com/containerd/containerd/security/advisories/new) * Email us at "security@containerd.io" (mailto:security@containerd.io)
Affected Packages
https://github.com/containerd/containerd.git (GITHUB):
Affected version(s) >=v1.7.0 <v1.7.33
Fix Suggestion:
Update to version v1.7.33
https://github.com/containerd/containerd.git (GITHUB):
Affected version(s) >=v2.3.0 <v2.3.2
Fix Suggestion:
Update to version v2.3.2
https://github.com/containerd/containerd.git (GITHUB):
Affected version(s) >=v2.1.0 <v2.1.9
Fix Suggestion:
Update to version v2.1.9
https://github.com/containerd/containerd.git (GITHUB):
Affected version(s) >=v2.0.0 <v2.0.10
Fix Suggestion:
Update to version v2.0.10
https://github.com/containerd/containerd.git (GITHUB):
Affected version(s) >=v2.2.0 <v2.2.5
Fix Suggestion:
Update to version v2.2.5
github.com/containerd/containerd/v2 (GO):
Affected version(s) >=v2.1.0 <v2.1.9
Fix Suggestion:
Update to version v2.1.9
github.com/containerd/containerd (GO):
Affected version(s) >=v1.7.0 <v1.7.33
Fix Suggestion:
Update to version v1.7.33
github.com/containerd/containerd/v2 (GO):
Affected version(s) >=v2.3.0 <v2.3.2
Fix Suggestion:
Update to version v2.3.2
github.com/containerd/containerd/v2 (GO):
Affected version(s) >=v2.0.0 <v2.0.10
Fix Suggestion:
Update to version v2.0.10
github.com/containerd/containerd/v2 (GO):
Affected version(s) >=v2.0.0 <v2.0.10
Fix Suggestion:
Update to version v2.0.10
github.com/containerd/containerd/v2 (GO):
Affected version(s) >=v2.2.0 <v2.2.5
Fix Suggestion:
Update to version v2.2.5
github.com/containerd/containerd/v2 (GO):
Affected version(s) =v2.3.0 <v2.3.2
Fix Suggestion:
Update to version v2.3.2
Related Resources (4)
https://github.com/containerd/containerd/releases/tag/v1.7.33
https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp
https://github.com/containerd/containerd
https://github.com/containerd/containerd/releases/tag/v2.3.2
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74