CVE-2026-53489

NameCVE-2026-53489
Descriptioncontainerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140385

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
containerd (PTS)bullseye1.4.13~ds1-1~deb11u4fixed
bullseye (security)1.4.13~ds1-1~deb11u6fixed
bookworm1.6.20~ds1-1+deb12u3fixed
bookworm (security)1.6.20~ds1-1+deb12u2fixed
trixie (security), trixie1.7.24~ds1-6+deb13u1fixed
forky, sid2.1.9+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
containerdsourcebullseye(not affected)
containerdsourcebookworm(not affected)
containerdsourcetrixie(not affected)
containerdsource(unstable)2.1.9+ds1-11140385

Notes

[trixie] - containerd <not-affected> (Vulnerable code not present, only affects 2.x)
[bookworm] - containerd <not-affected> (Vulnerable code not present, only affects 2.x)
[bullseye] - containerd <not-affected> (Vulnerable code not present, only affects 2.x)
https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388

Search for package or bug name: Reporting problems