Source: containerd Version: 2.1.9+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.7.24~ds1-1
Hi, The following vulnerability was published for containerd. CVE-2026-46680[0]: | containerd is an open-source container runtime. In versions prior to | 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric | User directive that cannot be parsed as a 32-bit integer are | incorrectly treated as a username, leading to runAsNonRoot evasion. | If a crafted image provides an /etc/passwd file mapping this large | numeric string to root, the container ultimately runs as root (UID | 0). This allows the Kubernetes runAsNonRoot restriction to be | bypassed, causing unexpected behavior for environments that require | containers to run as a non-root user. This issue has been fixed in | versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46680 https://www.cve.org/CVERecord?id=CVE-2026-46680 [1] https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w Please adjust the affected versions in the BTS as needed. Regards, Salvatore

