Skip to main content

containerd EUVDEUVD-2026-41108

| CVE-2026-50195 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
5.6
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network vector via Kubernetes API; PR:L for required pod-creation permission; AC:H for two-stage attack requiring victim pod with non-Always pull policy; S:C as compromise crosses into victim pod identity.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
SUSE
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jul 01, 2026 - 19:22 NVD
5.6 (MEDIUM)
Analysis Generated
Jun 19, 2026 - 02:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain pod-creation RBAC permissions
Delivery
Craft malicious OCI checkpoint image with forged image references
Exploit
Submit pod triggering CRI checkpoint import
Execution
containerd pulls malicious image and assigns attacker-chosen local tag
Persist
Victim pod schedules to poisoned node with IfNotPresent or Never pull policy
Impact
Victim pod executes malicious image under its own Kubernetes service account identity

Vulnerability AssessmentAI

Exploitation The attacker must hold Kubernetes RBAC permissions sufficient to create pods in at least one namespace on the target cluster - specifically the ability to invoke the CRI checkpoint import path (e.g., via the kubelet checkpoint API or equivalent). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is present in the provided data, so quantitative risk metrics cannot be cited - severity is vendor-stated as Critical via GHSA-cvxm-645q-p574. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Kubernetes pod-creation RBAC permissions on a target namespace builds a malicious OCI checkpoint image that embeds forged image reference strings pointing to attacker-controlled registry content. They submit a pod spec that triggers containerd's CRI checkpoint import path, causing containerd to fetch the malicious image and register it locally under a tag matching a legitimate image expected by other workloads on the same node. …
Remediation Update containerd to a patched release: 2.3.2, 2.2.5, or 2.1.9, available at https://github.com/containerd/containerd/releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Kubernetes clusters for containerd usage and identify vulnerable versions via container runtime inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP6-CHOST-BYOS Not-Affected
SLES15-SP6-CHOST-BYOS-Aliyun Not-Affected

Share

EUVD-2026-41108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy