Critical containerd Vulnerabilities Expose Container Runtimes to DoS and Code Execution
Ubuntu security advisories reveal five vulnerabilities in containerd affecting HTTP/2 handling, image validation, and label propagation. Patches address denial-of-service and arbitrary code execution risks across multiple Ubuntu LTS releases.
TL;DR
- Five CVEs patched in containerd: HTTP/2 infinite loop (CVE-2026-33814), group parsing memory exhaustion (CVE-2026-47262), image checkpoint validation bypass (CVE-2026-50195), label propagation code execution (CVE-2026-53488), and symlink path validation flaw
- CVE-2026-53488 allows attackers to execute arbitrary code on the host by exploiting improper label propagation from image configurations
- CVE-2026-50195 enables local image cache poisoning and cross-pod code execution via unvalidated image references during checkpoint import
- HTTP/2 SETTINGS frame handling flaw (CVE-2026-33814) can trigger infinite loops causing denial of service
- Patches available across Ubuntu 16.04 LTS through 26.04 LTS with varying CVE applicability per release
Ubuntu has released security updates addressing five vulnerabilities in containerd, the widely-used container runtime. The flaws range from denial-of-service conditions to arbitrary code execution, affecting container orchestration environments across multiple Ubuntu LTS versions. Organizations running containerized workloads should prioritize patching to mitigate both local and remote attack vectors.
The vulnerabilities span HTTP/2 protocol handling, image validation logic, and container configuration processing. Most critical are flaws enabling code execution on the host system and local image cache poisoning, which could allow attackers to compromise container isolation boundaries and execute malicious code across pod boundaries.
Code Execution and Privilege Escalation Risks
- CVE-2026-53488: Improper label propagation from image configurations to containers allows arbitrary code execution on the host
- CVE-2026-50195: Unvalidated image references during checkpoint import enable local image cache poisoning and code execution in other pods (affects Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS)
- Both flaws bypass container isolation mechanisms, allowing lateral movement and privilege escalation
Denial of Service and Resource Exhaustion Vulnerabilities
- CVE-2026-33814: Improper HTTP/2 SETTINGS frame handling causes containerd to enter infinite loops, triggering denial of service
- CVE-2026-47262: Group parsing defect during container creation causes excessive memory consumption, leading to resource exhaustion and service unavailability
- Both DoS vectors can be exploited to disrupt container orchestration and application availability
Affected Versions and Patch Availability
- CVE-2026-33814 and CVE-2026-47262 affect Ubuntu 16.04 LTS through 26.04 LTS
- CVE-2026-53488 impacts Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, and 26.04 LTS
- CVE-2026-50195 limited to Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS
- Security updates available via USN-8471-1, USN-8472-1, and USN-8473-1
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.