Lucene search
K

Containerd 2.1.x < 2.1.9 / 2.2.x < 2.2.5 / 2.3.x < 2.3.2 Multiple Vulnerabilities

🗓️ 24 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 6 Views

Containerd before 2.1.9, 2.2.5, or 2.3.2 has flaws: cache poisoning and host file read.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(322408);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/26");

  script_cve_id("CVE-2026-50195", "CVE-2026-53489", "CVE-2026-53492");
  script_xref(name:"IAVA", value:"2026-A-0621");

  script_name(english:"Containerd 2.1.x < 2.1.9 / 2.2.x < 2.2.5 / 2.3.x < 2.3.2 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The container runtime installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Containerd on the remote host is 2.1.x prior to 2.1.9, 2.2.x prior to 2.2.5, or 2.3.x prior to 2.3.2.
It is, therefore, affected by multiple vulnerabilities:

  - containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image
    references specified within a checkpoint image's configuration. An attacker with permissions to create pods can
    use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local
    tag, thereby poisoning the node's local image cache. (CVE-2026-50195)

  - A bug was found in containerd where the CRI plugin restores container.log from a checkpoint image without
    validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs.
    (CVE-2026-53489)

  - containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within
    untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint,
    containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's
    create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes
    resource allocation and device plugin enforcement, injecting arbitrary CDI edits into the restored container.
    (CVE-2026-53492)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04da9b3e");
  # https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5dedb188");
  # https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2095b362");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Containerd version 2.1.9, 2.2.5, 2.3.2 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-50195");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:linuxfoundation:containerd");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("containerd_installed.nbin");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'requires': [
    {'scope': 'target', 'match': {'os': 'linux'}}
  ],
  'checks': [
    {
      'product': {'name': 'containerd', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints' : [
          {'min_version': '2.1.0', 'fixed_version': '2.1.9'},
          {'min_version': '2.2.0', 'fixed_version': '2.2.5'},
          {'min_version': '2.3.0', 'fixed_version': '2.3.2'}
      ]
    }
  ]
};
var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Jun 2026 00:00Current
6Medium risk
Vulners AI Score6
6