Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
Bulletin ID: 2026-046-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/18/2026 17:30 PM PDT
Description:
containerd is an open-source container runtime used by Kubernetes via the Container Runtime Interface (CRI) plugin. It underpins AWS managed container services including Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS), AWS Fargate, Bottlerocket, and Amazon Linux. AWS identified five issues in the containerd CRI plugin affecting versions 1.7 through 2.3
- CVE-2026-50195 (CVSS 8.8): Unvalidated checkpoint image references in the CRI plugin allow image cache poisoning on shared Kubernetes nodes, enabling cross-pod code execution.
- CVE-2026-53488 (CVSS 8.3): Image configuration LABEL instructions are propagated to containers without sanitization, enabling arbitrary host command execution via a crafted container image. This issue does not require checkpoint/restore to be enabled.
- CVE-2026-53492 (CVSS 6.8): CDI (Container Device Interface) annotations from untrusted checkpoint image metadata are trusted without validation, allowing device and host mount injection that bypasses Kubernetes device enforcement. This issue requires CDI to be enabled on the node.
- CVE-2026-53489 (CVSS 6.5): Symlinked container log paths are not validated during checkpoint restore, enabling arbitrary host file read. This issue requires checkpoint/restore to be enabled.
- CVE-2026-47262 (CVSS 6.5): A crafted container image can cause uncontrolled memory consumption, resulting in an out-of-memory termination of the containerd process and a denial of service for all containers on the affected node.
Impacted versions: containerd 1.7, 2.0, 2.1, 2.2, 2.3
Resolution:
These issues have been addressed in the upstream containerd project. Patched releases are available at the containerd GitHub security advisories page. We recommend upgrading to the latest patched version and ensuring any forked or derivative code is updated to incorporate the new fixes.
For customers using AWS managed container services (Amazon EKS, Amazon ECS, AWS Fargate), AWS is deploying patched runtimes across affected fleets. Customers using self-managed containerd deployments on Amazon EC2 or on-premises infrastructure should upgrade to a patched container version as soon as possible.
Workarounds:
For CVE-2026-50195, CVE-2026-53489, and CVE-2026-53492: Disabling the checkpoint/restore feature in containerd reduces the potential for unintended disclosure. For CVE-2026-53492: Additionally disabling CDI support on affected nodes reduces the potential for unintended disclosure. There is no workaround for CVE-2026-53488 or CVE-2026-47262 short of upgrading to a patched version.
References:
- CVE-2026-50195 (GHSA-cvxm-645q-p574)
- CVE-2026-53488 (GHSA-xhf5-7wjv-pqxp)
- CVE-2026-53492 (GHSA-33vj-92qq-66hc)
- CVE-2026-53489 (GHSA-rgh6-rfwx-v388)
- CVE-2026-47262 (GHSA-jpcc-p29g-p8mq)
- containerd Security Advisories
Acknowledgement:
We would like to thank the containerd project for collaborating on these issues through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.