Arbitrary Command Execution in Container Runtime by containerd Affecting Specific Versions
CVE-2026-53488

9.4CRITICAL

Key Information:

Vendor

Containerd

Vendor
CVE Published:
1 July 2026

What is CVE-2026-53488?

An issue has been identified in the containerd runtime where the CRI plugin improperly propagates labels from image configurations to containers without adequate validation. This oversight can potentially lead to the execution of arbitrary commands on the host system, particularly when a plugin utilizes the container labels during its operations. The vulnerability has been addressed in subsequent releases, including versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

Affected Version(s)

containerd < 1.7.33 < 1.7.33

containerd >= 2.0.0, < 2.0.10 < 2.0.0, 2.0.10

containerd >= 2.1.0, < 2.1.9 < 2.1.0, 2.1.9

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.