Bug 2495815 (CVE-2026-53488)

Summary: CVE-2026-53488 github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, anjoseph, anpicker, aoconnor, aprice, aruklets, bdettelb, bniver, bparees, cahl, crizzo, dbosanac, derez, dfreiber, dhanak, dkeler, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eborisov, eglynn, fdeutsch, flucifre, gmeno, gparvin, groman, hasun, ibolton, jburrell, jcantril, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmontleo, jowilson, jprabhak, jpretori, jreimann, jsamir, jschluet, kaycoth, kbempah, kingland, kshier, lball, lgamliel, lhh, ljawale, lphiri, manissin, mbenjamin, mburns, mdessi, mgarciac, mhackett, mnovotny, mrizzi, msilmser, ngough, nyancey, oezr, ometelka, oramraz, pakotvan, pcattana, pgaikwad, ptisnovs, rekumar, rhaigner, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, simaishi, slucidi, smullick, solenoci, sostapov, sseago, stcannon, sthirugn, stirabos, suppawar, syedriko, teagle, thason, vereddy, veshanka, vkumar, vvoronko, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2495897, 2496001, 2496002, 2496003, 2496004, 2496006, 2496005    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-01 02:01:32 UTC
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.