HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-53488 — containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3...

·Source: NIST NVD

Updated:

Executive Summary

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.

Analysis

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10. CVSS Score: 8.8. Published: 2026-07-01T02:17:00.467.

Indicators of Compromise (1)

CVE (1)
CVE-2026-53488
Source Attribution

Originally published by NIST NVD on Jul 1, 2026. Verified by: NIST.

Related Threats