CVE-2026-53492
Publication date 22 June 2026
Last updated 9 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Read the notes from the security team
Why is this CVE high priority?
Critical severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 26.04 LTS resolute |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| containerd-app | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble |
Fixed 2.2.1-0ubuntu1~24.04.3
|
|
| 22.04 LTS jammy |
Fixed 2.2.1-0ubuntu1~22.04.2
|
|
| 20.04 LTS focal |
Not affected
|
|
| containerd-stable | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.
mdeslaur
containerd-app gets new upstream versions, containerd-stable gets backported security updates and minor point updates
Severity score breakdown
CVSS version:
Base score
8.4 · High
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N
Base score
9.6 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8472-1
- containerd vulnerabilities
- 25 June 2026
- USN-8473-1
- containerd vulnerabilities
- 25 June 2026