| Name | CVE-2026-53488 |
| Description | containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1140385 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| containerd (PTS) | bullseye | 1.4.13~ds1-1~deb11u4 | vulnerable |
| bullseye (security) | 1.4.13~ds1-1~deb11u6 | vulnerable | |
| bookworm | 1.6.20~ds1-1+deb12u3 | vulnerable | |
| bookworm (security) | 1.6.20~ds1-1+deb12u2 | vulnerable | |
| trixie (security), trixie | 1.7.24~ds1-6+deb13u1 | vulnerable | |
| forky, sid | 2.1.9+ds1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| containerd | source | (unstable) | 2.1.9+ds1-1 | 1140385 |
https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp