oM noM Security Feeds cve
vulnerability context

CVE-2026-53488

CVSS 8.8 HIGHEPSS 14%CWE-20OTX 2 pulses

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

Published 2026-07-01 · last modified 2026-07-03

details

CISA KEV status
Not in catalog
CVSS v3
8.8 / HIGH
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
14% percentile (score 0.0023)
CWE
CWE-20
OTX pulses
2 total, 0 recent

source mentions 2

source consensus

  • Bluesky:@cyberhub.blog
  • AWS Security Bulletins
Want the 3-bullet summary of CVE-2026-53488, plus webhook alerts when KEV is updated? Pro is $10/mo.