Arbitrary Host File Read via Symlink Following in containerd CRI Checkpoint Restore (CVE-2026-53489)

A critical bug, tracked as CVE-2026-53489, has been identified in the containerd CRI plugin, impacting versions prior to 2.3.2, 2.2.5, and 2.1.9. This vulnerability allows an attacker to achieve arbitrary host file disclosure. The flaw stems from containerd failing to validate symlinked paths when restoring container.log from a checkpoint image. By crafting a malicious checkpoint that includes container.log as a symbolic link to a sensitive host file, an attacker can leverage a standard kubectl logs command to retrieve the contents of that file. This poses a significant risk of data exfiltration and unauthorized information gathering from the underlying host system, impacting Kubernetes and other container orchestration environments. The vulnerability was independently discovered by multiple researchers, indicating a high likelihood of exploitation potential.

Attack Chain

1. Craft Malicious Checkpoint/Image: An attacker creates a container image or checkpoint where the expected container.log file is replaced with a symbolic link pointing to a sensitive file on the host filesystem (e.g., /etc/shadow, /root/.ssh/id_rsa).
2. Deploy Malicious Image: The attacker deploys this specially crafted container image to a Kubernetes cluster or container environment running a vulnerable version of containerd.
3. Containerd Restores Checkpoint: When the container is started or its checkpoint is restored, the containerd CRI plugin attempts to initialize the container.log path.
4. Symlink Traversal: Due to the vulnerability (CVE-2026-53489), containerd follows the malicious symlink instead of validating the path, effectively linking the container's container.log output stream to the sensitive host file.
5. Attacker Requests Logs: The attacker, possessing appropriate permissions to view container logs (e.g., via kubectl logs), issues a command to retrieve the logs of the compromised container.
6. Containerd Reads Target File: containerd, processing the log request, reads the content of the file pointed to by the symlink (the sensitive host file).
7. Data Exfiltration: The content of the sensitive host file is then returned to the attacker as if it were legitimate container log output, achieving arbitrary host file disclosure.

Impact

The successful exploitation of CVE-2026-53489 can lead to significant information disclosure. Attackers can read any file accessible by the containerd process on the host system. This could include sensitive configuration files (e.g., /etc/kubernetes/kubelet.conf), SSH keys, credentials, or other proprietary data stored on the host. While the vulnerability doesn't directly grant remote code execution, the ability to read arbitrary files can be a crucial step in further privilege escalation or data exfiltration attacks within a compromised Kubernetes cluster or container host. All organizations running containerd versions prior to the patched releases are at risk, particularly those that allow deployment of untrusted container images.

Recommendation

• Patch CVE-2026-53489: Immediately update containerd to patched versions (2.3.2, 2.2.5, or 2.1.9) as described in the GHSA advisory.
• Implement Image Trust: Ensure that only trusted container images and checkpoints are used within your environment to minimize the risk of malicious artifacts.
• Deploy File Access Monitoring: Configure host-level file activity monitoring (e.g., Auditd, Falco) to detect suspicious containerd process access to sensitive files or directories. Deploy the Sigma rules provided in this brief.
• Enable Sysmon for Linux: For Linux hosts, consider enabling Sysmon for Linux to capture FileCreate and FileRead events which can be used by the Sigma rules below.