Container Device Interface Trust Issue in containerd by Docker
CVE-2026-53492
What is CVE-2026-53492?
The containerd runtime has a vulnerability that arises from the improper trust of Container Device Interface (CDI) annotations during the restoration of containers from checkpoint images. This situation allows a user with permissions to create pods to inject arbitrary CDI modifications into the restored container, bypassing the usual Kubernetes resource allocation and device plugin controls. Successful exploitation depends on the presence of an enabled CDI on the node, as well as a matching host CDI specification. This issue poses significant risks in environments reliant on Kubernetes and container orchestration.
Affected Version(s)
containerd >= 2.1.0, < 2.1.9 < 2.1.0, 2.1.9
containerd >= 2.2.0, < 2.2.5 < 2.2.0, 2.2.5
containerd >= 2.3.0, < 2.3.2 < 2.3.0, 2.3.2
