CVE-2026-46680
Analyzed Analyzed - Analysis Complete

User Directive Bypass in Containerd

Vulnerability report for CVE-2026-46680, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
linuxfoundation containerd From 1.7.27 (inc) to 1.7.32 (exc)
linuxfoundation containerd From 2.0.4 (inc) to 2.0.9 (exc)
linuxfoundation containerd From 2.1.0 (inc) to 2.2.4 (exc)
linuxfoundation containerd From 2.3.0 (inc) to 2.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows containers to bypass the Kubernetes runAsNonRoot security restriction, potentially causing containers to run with root privileges unexpectedly.

Running containers as root when non-root execution is required can lead to unauthorized privileged operations, increasing the risk of security breaches.

Such unauthorized privilege escalation may impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Therefore, environments relying on these standards that enforce non-root container execution could be at risk of non-compliance if this vulnerability is exploited.

Executive Summary

CVE-2026-46680 is a vulnerability in containerd, an open-source container runtime. It occurs when a container is launched with a numeric User directive that cannot be parsed as a 32-bit integer. Instead of rejecting this, containerd treats the large numeric string as a username.

If a malicious container image includes an /etc/passwd file that maps this large numeric string to the root user (UID 0), the container will run with root privileges. This bypasses Kubernetes' runAsNonRoot security restriction, which is intended to prevent containers from running as root.

This vulnerability allows containers to evade the runAsNonRoot restriction, potentially leading to containers running with unintended root privileges.

Impact Analysis

This vulnerability can allow a container to run with root privileges even when Kubernetes is configured to enforce non-root execution via the runAsNonRoot setting.

As a result, an attacker could gain unauthorized privileged access within the container, potentially leading to privilege escalation, unauthorized operations, and increased risk of compromise within the containerized environment.

This unexpected behavior can undermine security policies and controls designed to limit container privileges, increasing the attack surface and risk to the overall system.

Detection Guidance

Detection of this vulnerability involves identifying containers launched with a numeric User directive that cannot be parsed as a 32-bit integer and checking if the container is running as root despite the runAsNonRoot restriction.

One approach is to inspect running containers for their user context and verify if any container is running as root unexpectedly.

Suggested commands include:

  • Use kubectl to check the security context of pods: kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.spec.securityContext.runAsNonRoot}{"\n"}{end}'
  • Inspect the user ID inside running containers: kubectl exec <pod-name> -- id -u
  • Check the image's Dockerfile or image metadata for a numeric USER directive that is unusually large or non-standard.

Additionally, review the /etc/passwd file inside the container to see if a large numeric username is mapped to UID 0.

Mitigation Strategies

Immediate mitigation steps include upgrading containerd to a fixed version: 1.7.32, 2.0.9, 2.2.4, or 2.3.1.

If upgrading is not immediately possible, apply the following workarounds:

  • Use only trusted container images to avoid malicious /etc/passwd manipulations.
  • Restrict image import permissions to prevent untrusted images from being used.
  • Enforce a specific numeric runAsUser in Kubernetes securityContext to override the image's USER directive.
  • Upgrade Kubernetes to version 1.34 or newer, which may enforce runAsNonRoot correctly and mitigate this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart