CVE-2026-53488
Publication date 22 June 2026
Last updated 1 July 2026
Ubuntu priority
Description
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
Read the notes from the security team
Why is this CVE high priority?
Critical severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 26.04 LTS resolute |
Fixed 1.7.24~ds1-10ubuntu1+esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 1.6.24~ds1-1ubuntu1.3+esm3
|
|
| 22.04 LTS jammy |
Fixed 1.6.12-0ubuntu1~22.04.11
|
|
| 20.04 LTS focal |
Fixed 1.6.12-0ubuntu1~20.04.8+esm2
|
|
| 18.04 LTS bionic |
Fixed 1.6.12-0ubuntu1~18.04.1+esm4
|
|
| containerd-app | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 25.10 questing |
Fixed 2.2.1-0ubuntu1~25.10.2
|
|
| 24.04 LTS noble |
Fixed 2.2.1-0ubuntu1~24.04.3
|
|
| 22.04 LTS jammy |
Fixed 2.2.1-0ubuntu1~22.04.2
|
|
| 20.04 LTS focal |
Fixed 1.7.24-0ubuntu1~20.04.2+esm2
|
|
| containerd-stable | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 25.10 questing |
Fixed 2.1.6-0ubuntu1~25.10.2
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.
mdeslaur
containerd-app gets new upstream versions, containerd-stable gets backported security updates and minor point updates
Patch details
| Package | Patch details |
|---|---|
| containerd |
|
| containerd-app |
|
| containerd-stable |
Severity score breakdown
CVSS version: CVSS v4.0
Base score
9.4 · Critical
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References
Related Ubuntu Security Notices (USN)
- USN-8472-1
- containerd vulnerabilities
- 25 June 2026
- USN-8471-1
- containerd vulnerabilities
- 25 June 2026
- USN-8473-1
- containerd vulnerabilities
- 25 June 2026