CVE-2026-47262
MEDIUMcontainerd image-triggered runtime DoS via unbounded group parsing
Title source: cnaDescription
containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq
Scores
CVSS v3
5.5
EPSS
0.0032
EPSS Percentile
23.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (6)
containerd/containerd
>= 1.7.0, < 1.7.33
containerd/containerd
>= 2.0.0, < 2.0.10
containerd/containerd
>= 2.1.0, < 2.1.9
containerd/containerd
>= 2.2.0, < 2.2.5
containerd/containerd
>= 2.3.0, < 2.3.2
linuxfoundation/containerd
1.7.0 - 1.7.33
Published
Jul 01, 2026
Tracked Since
Jul 02, 2026