CVE Catalog

CVE-2026-50195

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

A vulnerability in containerd prior to versions 2.3.2, 2.2.5 and 2.1.9 allows an attacker with pod creation permissions to poison the local image cache via a crafted checkpoint image. Missing validation of image references in the checkpoint import process enables assigning an arbitrary local tag to a malicious image.

Risk Assessment

The organization risks arbitrary code execution under the victim pod's identity, potentially leading to privilege escalation, data theft, or lateral movement within the cluster.

Recommendation

Immediately upgrade containerd to versions 2.3.2, 2.2.5 or 2.1.9. Restrict pod creation permissions to trusted entities only.

Original NVD description (English source)

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS