CVE-2026-53488
Received
Received - Intake
BaseFortify
Vulnerability report for CVE-2026-53488, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-01
Last updated on: 2026-07-01
Assigner: GitHub, Inc.
Description
Description
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| containerd | containerd | to 1.7.33 (exc) |
| containerd | containerd | to 2.0.10 (exc) |
| containerd | containerd | From 2.1.9 (inc) to 2.2.5 (exc) |
| containerd | containerd | From 2.2.5 (inc) to 2.3.2 (exc) |
| containerd | containerd | From 2.3.2 (inc) to 2.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |