Source: containerd
Version: 2.1.9+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.7.24~ds1-1

Hi,

The following vulnerability was published for containerd.

CVE-2026-46680[0]:
| containerd is an open-source container runtime. In versions prior to
| 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric
| User directive that cannot be parsed as a 32-bit integer are
| incorrectly treated as a username, leading to runAsNonRoot evasion.
| If a crafted image provides an /etc/passwd file mapping this large
| numeric string to root, the container ultimately runs as root (UID
| 0). This allows the Kubernetes runAsNonRoot restriction to be
| bypassed, causing unexpected behavior for environments that require
| containers to run as a non-root user. This issue has been fixed in
| versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-46680
    https://www.cve.org/CVERecord?id=CVE-2026-46680
[1] 
https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to