ALT-PU-2026-9949-1 — containerd

NONE

NONE

NONE

NONE

NONE

HIGH8.4

containerd CRI checkpoint restore CDI annotation smuggling

Published: 2026-06-19

CVSS 4.0HIGH 8.4

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

References

GHSA-cvxm-645q-p574

MEDIUM5.6

containerd: CRI checkpoint import allows local image tag poisoning

Published: 2026-06-19

CVSS 4.0MEDIUM 5.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L

References

GHSA-jpcc-p29g-p8mq

MEDIUM6.9

containerd image-triggered runtime DoS via unbounded group parsing

Published: 2026-06-19

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

GHSA-rgh6-rfwx-v388

HIGH7.1

Arbitrary host CRI log file read via symlink following in CRI checkpoint restore

Published: 2026-06-19

CVSS 4.0HIGH 7.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-xhf5-7wjv-pqxp

HIGH8.7

containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull

Published: 2026-06-19

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Package update containerd in branch sisyphus_loongarch64

Closed issues (10)

containerd CRI checkpoint restore CDI annotation smuggling

containerd: CRI checkpoint import allows local image tag poisoning

containerd image-triggered runtime DoS via unbounded group parsing

Arbitrary host CRI log file read via symlink following in CRI checkpoint restore

containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull