Skip to main content

containerd EUVDEUVD-2026-41110

| CVE-2026-53489 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
8.2
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Local vector requiring the ability to introduce a checkpoint (PR:L); crossing the container-to-host boundary is a scope change (S:C) yielding high confidentiality only (C:H), with no integrity or availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jul 01, 2026 - 19:28 vuln.today
Analysis Updated
Jul 01, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 19:22 NVD
8.2 (HIGH)
Analysis Generated
Jun 19, 2026 - 02:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via kubectl logs because the plugin restores container.log from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft checkpoint image with symlinked container.log
Delivery
Get malicious checkpoint restored on node
Exploit
CRI plugin follows symlink to host file
Execution
Operator runs kubectl logs
Impact
Arbitrary host file contents disclosed

Vulnerability AssessmentAI

Exploitation Exploitation requires that the containerd CRI plugin performs a checkpoint restore of an attacker-controlled or attacker-influenced checkpoint image containing a `container.log` entry that is a symlink to a host file; the payload is then read when someone invokes `kubectl logs` against the restored container. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 8.2 (High) with vector AV:L/AC:L/AT:N/PR:N/UI:N and VC:H plus SC:H, signalling high confidentiality impact on both the vulnerable and a subsequent system (the host) with local access and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to supply or influence a container checkpoint image embeds a `container.log` entry that is actually a symlink to a sensitive host file such as `/etc/shadow` or a service-account token. After the malicious checkpoint is restored on a node, the attacker (or an unwitting operator) runs `kubectl logs` against the resulting pod, and containerd dereferences the symlink and returns the host file's contents. …
Remediation Vendor-released patch: upgrade to containerd 2.1.9, 2.2.5, or 2.3.2 depending on your branch (2.1.x → 2.1.9, 2.2.x → 2.2.5, 2.3.x → 2.3.2), as documented in advisory GHSA-rgh6-rfwx-v388 (https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388); Ubuntu users should apply the packages from USN-8472-1 and USN-8473-1 (https://ubuntu.com/security/notices/USN-8472-1, https://ubuntu.com/security/notices/USN-8473-1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Kubernetes clusters using containerd 2.x versions prior to 2.1.9, 2.2.5, or 2.3.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected

Share

EUVD-2026-41110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy