CVE-2026-53489
Publication date 22 June 2026
Last updated 9 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Read the notes from the security team
Why is this CVE high priority?
High severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 26.04 LTS resolute |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| containerd-app | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble |
Fixed 2.2.1-0ubuntu1~24.04.3
|
|
| 22.04 LTS jammy |
Fixed 2.2.1-0ubuntu1~22.04.2
|
|
| 20.04 LTS focal |
Not affected
|
|
| containerd-stable | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.
mdeslaur
containerd-app gets new upstream versions, containerd-stable gets backported security updates and minor point updates
Severity score breakdown
CVSS version:
Base score
8.2 · High
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Base score
6.5 · Medium
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8472-1
- containerd vulnerabilities
- 25 June 2026
- USN-8473-1
- containerd vulnerabilities
- 25 June 2026