containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Project Subscriptions

No data.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rgh6-rfwx-v388 Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
Ubuntu USN Ubuntu USN USN-8472-1 containerd vulnerabilities
Ubuntu USN Ubuntu USN USN-8473-1 containerd vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Description containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Title containerd: Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
Weaknesses CWE-61
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T18:10:41.802Z

Reserved: 2026-06-09T17:05:25.059Z

Link: CVE-2026-53489

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses