containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53489.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-61"
]
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.9"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.5"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.2"
}
]
}