Symlink Vulnerability in containerd by Docker
CVE-2026-53489

8.2HIGH

Key Information:

Vendor

Containerd

Vendor
CVE Published:
1 July 2026

What is CVE-2026-53489?

A security flaw exists in the containerd open-source container runtime that allows an attacker to exploit the CRI plugin and restore the container.log from a checkpoint image without proper validation of symlink paths. This vulnerability enables unauthorized access to arbitrary files on the host machine via kubectl logs, posing significant security risks. The issue has been addressed in subsequent versions 2.3.2, 2.2.5, and 2.1.9 to mitigate this exploitation risk.

Affected Version(s)

containerd >= 2.1.0, < 2.1.9 < 2.1.0, 2.1.9

containerd >= 2.2.0, < 2.2.5 < 2.2.0, 2.2.5

containerd >= 2.3.0, < 2.3.2 < 2.3.0, 2.3.2

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.