CVE-2026-53492

Publication date 22 June 2026

Last updated 9 July 2026


Ubuntu priority

Cvss 3 Severity Score

9.6 · Critical

Score breakdown

Description

containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Read the notes from the security team

Why is this CVE high priority?

Critical severity

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
containerd 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
containerd-app 26.04 LTS resolute
Fixed 2.2.2-0ubuntu1.1
25.10 questing
Fixed 2.2.1-0ubuntu1~25.10.2
24.04 LTS noble
Fixed 2.2.1-0ubuntu1~24.04.3
22.04 LTS jammy
Fixed 2.2.1-0ubuntu1~22.04.2
20.04 LTS focal
Not affected
containerd-stable 26.04 LTS resolute
Fixed 2.2.2-0ubuntu1.1
25.10 questing
Fixed 2.1.6-0ubuntu1~25.10.2
24.04 LTS noble Not in release
22.04 LTS jammy Not in release

Notes


alexmurray

Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.


mdeslaur

containerd-app gets new upstream versions, containerd-stable gets backported security updates and minor point updates

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
containerd-app
containerd-stable

Severity score breakdown

CVSS version:

Base score 8.4 · High

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Base score 9.6 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-8472-1
    • containerd vulnerabilities
    • 25 June 2026
    • USN-8473-1
    • containerd vulnerabilities
    • 25 June 2026

Other references


Access our resources on patching vulnerabilities