CVE-2026-47262

MEDIUM

containerd image-triggered runtime DoS via unbounded group parsing

Title source: cna
STIX 2.1

Description

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.

References (1)

Core 1
Core References

Scores

CVSS v3 5.5
EPSS 0.0032
EPSS Percentile 23.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (6)
containerd/containerd >= 1.7.0, < 1.7.33
containerd/containerd >= 2.0.0, < 2.0.10
containerd/containerd >= 2.1.0, < 2.1.9
containerd/containerd >= 2.2.0, < 2.2.5
containerd/containerd >= 2.3.0, < 2.3.2
linuxfoundation/containerd 1.7.0 - 1.7.33
Published Jul 01, 2026
Tracked Since Jul 02, 2026