CVE-2026-47262

Source
https://cve.org/CVERecord?id=CVE-2026-47262
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47262.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47262
Aliases
Downstream
Related
Published
2026-07-01T17:48:43.205Z
Modified
2026-07-08T08:13:39.471063668Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
containerd image-triggered runtime DoS via unbounded group parsing
Details

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47262.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/containerd/containerd

Affected ranges

Type
GIT
Repo
https://github.com/containerd/containerd
Events
Database specific
{
    "cpe": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.33"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.10"
        },
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.9"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.5"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

api/v1.*
api/v1.11.1
api/v1.7.19
v1.*
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.2
v1.7.20
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25
v1.7.26
v1.7.27
v1.7.28
v1.7.29
v1.7.3
v1.7.30
v1.7.31
v1.7.32
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47262.json"