9.4
CVE-2026-53488
- EPSS 0.2%
- Veröffentlicht 01.07.2026 00:11:20
- Zuletzt bearbeitet 03.07.2026 04:17:55
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linuxfoundation ≫ Containerd Version >= 1.7.0 < 1.7.33
Linuxfoundation ≫ Containerd Version >= 2.0.0 < 2.0.10
Linuxfoundation ≫ Containerd Version >= 2.1.0 < 2.1.9
Linuxfoundation ≫ Containerd Version >= 2.2.0 < 2.2.5
Linuxfoundation ≫ Containerd Version >= 2.3.0 < 2.3.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.104 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2 | 6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
| security-advisories@github.com | 9.4 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp