Vendor
Critical containerd CRI Vulnerability (CVE-2026-53488) Leads to Host-Root Command Execution
2 rules 2 TTPsA critical vulnerability (CVE-2026-53488) exists in the containerd CRI plugin where image configuration `LABEL` instructions are propagated to containers without validation, allowing an attacker to inject and execute arbitrary commands with host-root privileges on the underlying host when a maliciously crafted container image is pulled and processed by specific plugins.
Arbitrary Host File Read via Symlink Following in containerd CRI Checkpoint Restore (CVE-2026-53489)
3 rules 2 TTPsA high-severity vulnerability (CVE-2026-53489) in containerd's CRI plugin allows an unprivileged attacker to read arbitrary files on the host system by crafting a malicious checkpoint with a symlink that `containerd` follows during `container.log` restoration, enabling data exfiltration via `kubectl logs`.
containerd CRI Checkpoint Restore CDI Annotation Smuggling Vulnerability (CVE-2026-53492)
2 rules 2 TTPsA high-severity vulnerability (CVE-2026-53492) in containerd's CRI implementation allows an attacker with pod creation permissions to smuggle arbitrary Container Device Interface (CDI) annotations during container restoration, bypassing Kubernetes resource allocation and enabling unauthorized device and host mount injection into the restored container.
Containerd runAsNonRoot Bypass via Crafted User Directive (CVE-2026-46680)
2 rules 1 TTP 1 CVEA vulnerability in containerd allows for bypassing the Kubernetes `runAsNonRoot` restriction by exploiting a misinterpretation of large numeric User directives in container images, potentially leading to container execution as root (UID 0); this is tracked as CVE-2026-46680 and CVE-2024-40635.