RunAsNonRoot Evasion Vulnerability in Containerd by Docker
CVE-2026-46680
What is CVE-2026-46680?
Containerd, an open-source container runtime by Docker, has a vulnerability in versions prior to 1.7.32, 2.0.9, 2.2.4, and 2.3.1. This flaw arises when a container is launched with a numeric User directive that cannot be parsed as a 32-bit integer, causing it to be misinterpreted as a username. If a malicious image supplies an /etc/passwd file that links this unwieldy numeric string to the root user, it can result in the container running with root privileges (UID 0). This exploitation undermines Kubernetes' runAsNonRoot feature, potentially leading to unintended behaviors in environments that enforce non-root execution for enhanced security.
Affected Version(s)
containerd < 1.7.32 < 1.7.32
containerd >= 2.0.4, < 2.0.9 < 2.0.4, 2.0.9
containerd >= 2.0.10, < 2.2.4 < 2.0.10, 2.2.4
