CRI Label Injection in containerd 1.7.x/2.0-2.3 (1.7.33/2.3.2)
CVE-2026-53488 Published on July 1, 2026

containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

NVD

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2026-53488

stack.watch emails you whenever new vulnerabilities are published in Amazon Aws or Canonical Ubuntu Linux. Just hit a watch button to start following.

 
 

Affected Versions

containerd: