#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(322408);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/26");
script_cve_id("CVE-2026-50195", "CVE-2026-53489", "CVE-2026-53492");
script_xref(name:"IAVA", value:"2026-A-0621");
script_name(english:"Containerd 2.1.x < 2.1.9 / 2.2.x < 2.2.5 / 2.3.x < 2.3.2 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The container runtime installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Containerd on the remote host is 2.1.x prior to 2.1.9, 2.2.x prior to 2.2.5, or 2.3.x prior to 2.3.2.
It is, therefore, affected by multiple vulnerabilities:
- containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image
references specified within a checkpoint image's configuration. An attacker with permissions to create pods can
use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local
tag, thereby poisoning the node's local image cache. (CVE-2026-50195)
- A bug was found in containerd where the CRI plugin restores container.log from a checkpoint image without
validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs.
(CVE-2026-53489)
- containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within
untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint,
containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's
create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes
resource allocation and device plugin enforcement, injecting arbitrary CDI edits into the restored container.
(CVE-2026-53492)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04da9b3e");
# https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5dedb188");
# https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2095b362");
script_set_attribute(attribute:"solution", value:
"Upgrade to Containerd version 2.1.9, 2.2.5, 2.3.2 or later.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-50195");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/18");
script_set_attribute(attribute:"patch_publication_date", value:"2026/06/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:linuxfoundation:containerd");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("containerd_installed.nbin");
exit(0);
}
include('vdf.inc');
# @tvdl-content
var vuln_data = {
'metadata': {'spec_version': '1.0'},
'requires': [
{'scope': 'target', 'match': {'os': 'linux'}}
],
'checks': [
{
'product': {'name': 'containerd', 'type': 'app'},
'check_algorithm': 'default',
'constraints' : [
{'min_version': '2.1.0', 'fixed_version': '2.1.9'},
{'min_version': '2.2.0', 'fixed_version': '2.2.5'},
{'min_version': '2.3.0', 'fixed_version': '2.3.2'}
]
}
]
};
var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation