CVE Catalog

CVE-2026-53489

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

A vulnerability in containerd allows reading arbitrary files on the host via kubectl logs. The bug occurs in the CRI plugin, which restores container.log from a checkpoint image without validating a symlinked path.

Risk Assessment

An attacker could exploit this vulnerability to read sensitive host files, potentially leading to data leakage or privilege escalation.

Recommendation

Immediately update containerd to version 2.3.2, 2.2.5, or 2.1.9, depending on the branch in use.

Original NVD description (English source)

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS