Bug 2496104 (CVE-2026-46680)

Summary: CVE-2026-46680 github.com/containerd/containerd: containerd: Privilege escalation via incorrect user ID handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, anjoseph, anpicker, aoconnor, aprice, bdettelb, bniver, bparees, cahl, caryn.ciampa, crizzo, dbosanac, derez, dfreiber, dhanak, dkeler, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eborisov, eglynn, flucifre, gmeno, gparvin, groman, hasun, ibolton, jburrell, jcantril, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmontleo, jowilson, jprabhak, jpretori, jreimann, jsamir, jschluet, kaycoth, kbempah, kingland, kshier, lball, lgamliel, lhh, ljawale, lphiri, manissin, mbenjamin, mburns, mdessi, mgarciac, mhackett, mnovotny, mrizzi, msilmser, ngough, nyancey, oezr, ometelka, pakotvan, pcattana, pgaikwad, ptisnovs, rekumar, rhaigner, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, simaishi, slucidi, solenoci, sostapov, sseago, stcannon, sthirugn, suppawar, syedriko, teagle, thason, vereddy, veshanka, vkumar, vvoronko, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in containerd, an open-source container runtime. Containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This vulnerability allows a crafted container image to bypass the Kubernetes `runAsNonRoot` restriction, potentially leading to privilege escalation where the container runs as the root user (UID 0). This can cause unexpected behavior in environments designed to enforce non-root user execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2496469    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-01 18:02:41 UTC
containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.