CVE-2026-53488

HIGH

containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-53488. PoCs published by HermesNA-1.

AI-analyzed exploit summary This repository contains an auto-generated stub module for CVE-2026-53488, a vulnerability in containerd's CRI plugin where labels from image configs are improperly propagated. The code includes placeholder methods (`check` and `run`) but lacks actual exploit implementation or technical details about the vulnerability mechanics.

Description

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

Exploits (1)

github STUB 1 stars
by HermesNA-1 · pythonpoc
https://github.com/HermesNA-1/SnakeSploit/tree/main/data/modules_generated/cve-2026-53488_containerd_open-source.py

This repository contains an auto-generated stub module for CVE-2026-53488, a vulnerability in containerd's CRI plugin where labels from image configs are improperly propagated. The code includes placeholder methods (`check` and `run`) but lacks actual exploit implementation or technical details about the vulnerability mechanics.

Classification
Stub 99%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: containerd versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10
No auth needed
Prerequisites: Network access to the target's CRI plugin port (default: 10010) · Target running a vulnerable version of containerd
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0020
EPSS Percentile 10.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (6)
containerd/containerd < 1.7.33
containerd/containerd >= 2.0.0, < 2.0.10
containerd/containerd >= 2.1.0, < 2.1.9
containerd/containerd >= 2.2.0, < 2.2.5
containerd/containerd >= 2.3.0, < 2.3.2
linuxfoundation/containerd 1.7.0 - 1.7.33
Published Jul 01, 2026
Tracked Since Jul 01, 2026