All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-53488
CRITICALpublished 2026-07-01 02:17 UTC · 4 days ago · modified 2026-07-03 04:17 UTC
9.4
CVSS / 10
// description
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
// weaknesses (CWE)
- CWE-20