CVE-2026-47262
Received Received - Intake

Denial of Service in containerd

Vulnerability report for CVE-2026-47262, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
containerd containerd to 1.7.33 (exc)
containerd containerd to 2.0.10 (exc)
containerd containerd to 2.1.9 (exc)
containerd containerd to 2.2.5 (exc)
containerd containerd to 2.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47262 is a vulnerability in containerd, an open-source container runtime. It allows a maliciously crafted container image to cause a Denial of Service (DoS) condition by triggering memory exhaustion when a container is created from that image.

This memory exhaustion leads to an Out Of Memory (OOM) kill of the containerd process, which makes the container runtime API unavailable and disrupts clients such as Docker Engine or Kubernetes control-plane components.

The root cause is unbounded group parsing in the image-triggered runtime. The vulnerability affects containerd versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2, where patches have been released to fix the issue.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition in your container runtime environment.

When exploited, it leads to memory exhaustion and an Out Of Memory (OOM) kill of the containerd process, which makes the container runtime API unavailable.

This disruption can affect critical clients such as Docker Engine or Kubernetes control-plane components, potentially causing downtime or loss of availability for containerized applications.

As a mitigation, it is recommended to update to the fixed versions and restrict image imports to trusted sources and users with appropriate permissions.

Detection Guidance

This vulnerability causes a Denial of Service (DoS) condition by exhausting memory when a container is created from a maliciously crafted image, leading to an Out Of Memory (OOM) kill of the containerd process.

Detection can involve monitoring for unexpected OOM kills of the containerd process or disruptions in the container runtime API availability, which may affect Docker Engine or Kubernetes control-plane components.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to update containerd to a patched version: 1.7.33, 2.0.10, 2.1.9, 2.2.5, or 2.3.2.

As a temporary measure before updating, restrict usage to only trusted container images and limit image import or pod scheduling permissions to trusted users.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) condition by exhausting memory and killing the containerd process, which disrupts the container runtime API and affects clients such as Docker Engine or Kubernetes control-plane components.

While the CVE description and resources detail the technical impact and mitigation steps, they do not explicitly address how this vulnerability affects compliance with common standards and regulations like GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart