{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/containerd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":4.6,"id":"CVE-2024-40635"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["containerd/containerd","containerd/containerd/v2"],"_cs_severities":["high"],"_cs_tags":["runAsNonRoot","privilege-escalation","containerd","kubernetes"],"_cs_type":"advisory","_cs_vendors":["containerd"],"content_html":"\u003cp\u003eA vulnerability exists within containerd that allows a malicious container image to bypass the \u003ccode\u003erunAsNonRoot\u003c/code\u003e security context in Kubernetes. This occurs when a container image specifies a numeric \u003ccode\u003eUser\u003c/code\u003e directive that is too large to be parsed as a standard 32-bit integer, which containerd then incorrectly interprets as a username. If the attacker crafts a malicious image with an \u003ccode\u003e/etc/passwd\u003c/code\u003e file that maps this large numeric string to root, the container will execute as root, subverting intended security policies. This issue affects containerd versions before 2.3.1, 2.2.4, 2.0.9, and 1.7.32. Exploitation could lead to unauthorized access and privilege escalation within the containerized environment. This bypass impacts security implementations relying on \u003ccode\u003erunAsNonRoot\u003c/code\u003e to enforce least privilege. The vulnerability is identified as CVE-2026-46680 and CVE-2024-40635.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious container image with a crafted \u003ccode\u003e/etc/passwd\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/etc/passwd\u003c/code\u003e file maps a large numeric string (e.g., \u0026ldquo;9999999999\u0026rdquo;) to UID 0 (root).\u003c/li\u003e\n\u003cli\u003eThe Dockerfile for the image includes a \u003ccode\u003eUSER\u003c/code\u003e directive using this large numeric string (e.g., \u003ccode\u003eUSER 9999999999\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a pod to Kubernetes that uses the malicious image, but includes the \u003ccode\u003erunAsNonRoot: true\u003c/code\u003e securityContext option to enforce non-root execution.\u003c/li\u003e\n\u003cli\u003eContainerd attempts to start the container. Due to the vulnerability, containerd misinterprets the large numeric string as a username.\u003c/li\u003e\n\u003cli\u003eContainerd consults the \u003ccode\u003e/etc/passwd\u003c/code\u003e file within the image and incorrectly resolves the large numeric username to UID 0 (root).\u003c/li\u003e\n\u003cli\u003eThe container is launched and executes as root, bypassing the intended \u003ccode\u003erunAsNonRoot\u003c/code\u003e restriction.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized root access within the container, potentially escalating privileges further within the cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the \u003ccode\u003erunAsNonRoot\u003c/code\u003e security context in Kubernetes, forcing containers to run as root even when explicitly restricted. This can lead to privilege escalation, unauthorized access to sensitive data, and potential compromise of the entire Kubernetes cluster. The impact is especially severe in environments where \u003ccode\u003erunAsNonRoot\u003c/code\u003e is a critical security control for preventing container escape and lateral movement. The number of affected systems depends on the prevalence of vulnerable containerd versions and the reliance on \u003ccode\u003erunAsNonRoot\u003c/code\u003e for security enforcement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade containerd to versions 2.3.1, 2.2.4, 2.0.9, or 1.7.32 to patch the vulnerability as described in the advisory [GHSA-fqw6-gf59-qr4w].\u003c/li\u003e\n\u003cli\u003eEnforce a specific numeric \u003ccode\u003erunAsUser\u003c/code\u003e in the Kubernetes Pod \u003ccode\u003esecurityContext\u003c/code\u003e to override the \u003ccode\u003eUSER\u003c/code\u003e directive in the image as a workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Containerd runAsNonRoot Bypass via Large UID\u0026rdquo; to identify exploitation attempts by detecting pods using images with a large UID as the user.\u003c/li\u003e\n\u003cli\u003eMonitor container images for suspicious \u003ccode\u003e/etc/passwd\u003c/code\u003e files that map large numeric strings to UID 0.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:41:41Z","date_published":"2026-05-21T21:41:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-containerd-runasnonroot-bypass/","summary":"A vulnerability in containerd allows for bypassing the Kubernetes `runAsNonRoot` restriction by exploiting a misinterpretation of large numeric User directives in container images, potentially leading to container execution as root (UID 0); this is tracked as CVE-2026-46680 and CVE-2024-40635.","title":"Containerd runAsNonRoot Bypass via Crafted User Directive (CVE-2026-46680)","url":"https://feed.craftedsignal.io/briefs/2026-05-containerd-runasnonroot-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Containerd","version":"https://jsonfeed.org/version/1.1"}