CVE-2026-46680

HIGH

containerd user ID handling bypass allows runAsNonRoot evasion

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46680. PoCs published by r0binak.

AI-analyzed exploit summary This repository demonstrates a container escape vulnerability (CVE-2026-46680) by exploiting a large UID (4294967296) to bypass Kubernetes' runAsNonRoot security context. The Dockerfile creates a user with UID 4294967296 (which overflows to 0, effectively root), and the pod.yaml deploys it with runAsNonRoot=true, bypassing the restriction.

Description

containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.

Exploits (1)

nomisec WORKING POC
by r0binak · poc
https://github.com/r0binak/CVE-2026-46680

This repository demonstrates a container escape vulnerability (CVE-2026-46680) by exploiting a large UID (4294967296) to bypass Kubernetes' runAsNonRoot security context. The Dockerfile creates a user with UID 4294967296 (which overflows to 0, effectively root), and the pod.yaml deploys it with runAsNonRoot=true, bypassing the restriction.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Kubernetes (version not specified)
No auth needed
Prerequisites: Kubernetes cluster with pod creation permissions · Ability to deploy custom pod manifests
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0022
EPSS Percentile 12.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (5)
containerd/containerd < 1.7.32
containerd/containerd >= 2.0.10, < 2.2.4
containerd/containerd >= 2.0.4, < 2.0.9
containerd/containerd >= 2.2.5, < 2.3.1
linuxfoundation/containerd 1.7.27 - 1.7.32
Published Jul 01, 2026
Tracked Since Jul 01, 2026