Description
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-xhf5-7wjv-pqxp | containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull |
Ubuntu USN |
USN-8471-1 | containerd vulnerabilities |
Ubuntu USN |
USN-8472-1 | containerd vulnerabilities |
Ubuntu USN |
USN-8473-1 | containerd vulnerabilities |
References
History
Wed, 01 Jul 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10. | |
| Title | containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull | |
| Weaknesses | CWE-20 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-01T00:11:20.610Z
Reserved: 2026-06-09T17:05:25.059Z
Link: CVE-2026-53488
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA
Ubuntu USN