containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-20"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53488.json"
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.33"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.10"
},
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.9"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.5"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.2"
}
]
}