Container Runtime Vulnerability in containerd by Docker
CVE-2026-50195
What is CVE-2026-50195?
containerd, an open-source container runtime developed by Docker, has a vulnerability in its Container Runtime Interface (CRI) checkpoint import process. This vulnerability arises when containerd fails to validate image references in a checkpoint image's configuration. An attacker with permission to create pods could craft a malicious checkpoint image that forces containerd to pull a harmful image and assign it an arbitrary local tag. This could corrupt the node's image cache. If other pods on the same node employ a pull policy of IfNotPresent or Never, they may inadvertently execute the attacker's malicious image instead of the appropriate one, potentially compromising the affected pods and allowing for arbitrary code execution under the identity of the victim pod. Affected versions have been updated, with fixes available in versions 2.3.2, 2.2.5, and 2.1.9.
Affected Version(s)
containerd >= 2.1.0, < 2.1.9 < 2.1.0, 2.1.9
containerd >= 2.2.0, < 2.2.5 < 2.2.0, 2.2.5
containerd >= 2.3.0, < 2.3.2 < 2.3.0, 2.3.2
