Bug 2496129 (CVE-2026-53489)

Summary: CVE-2026-53489 github.com/containerd/containerd: containerd: Arbitrary host file read via symlink following in CRI checkpoint restore
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, anjoseph, anpicker, aoconnor, aprice, aruklets, bdettelb, bniver, bparees, cahl, crizzo, dbosanac, derez, dfreiber, dhanak, dkeler, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eborisov, eglynn, flucifre, gmeno, gparvin, groman, hasun, ibolton, jburrell, jcantril, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmontleo, jowilson, jprabhak, jpretori, jreimann, jsamir, jschluet, kaycoth, kbempah, kingland, kshier, lball, lgamliel, lhh, ljawale, lphiri, manissin, mbenjamin, mburns, mdessi, mgarciac, mhackett, mnovotny, mrizzi, msilmser, ngough, nyancey, oezr, ometelka, pakotvan, pcattana, pgaikwad, ptisnovs, rekumar, rhaigner, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, simaishi, slucidi, solenoci, sostapov, sseago, stcannon, sthirugn, suppawar, syedriko, teagle, thason, vereddy, veshanka, vkumar, vvoronko, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin incorrectly restores container logs from a checkpoint image. This vulnerability, categorized as a Path Traversal (CWE-61), allows an attacker to read arbitrary files on the host system by manipulating symlinked paths during the checkpoint restore process. This can lead to unauthorized information disclosure from the host.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-01 19:01:54 UTC
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.