chore(deps): update module github.com/containerd/containerd to v1.7.33 [security] (release-2.3)#134
Open
crossplane-renovate[bot] wants to merge 1 commit into
Conversation
crossplane-renovate
Bot
requested review from
a team,
jcogilvie and
tampakrap
as code owners
crossplane-renovate
Bot
requested review from
phisco
and removed request for
a team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.7.32→v1.7.33containerd image-triggered runtime DoS via unbounded group parsing
CVE-2026-47262 / GHSA-jpcc-p29g-p8mq
More information
Details
Impact
A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components.
Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images or schedule pods.
Credits
The containerd project would like to thank Jakub Ciolek (@jake-ciolek) at AlphaSense and Kyle Elliott @ Trail of Bits who independently discovered and responsibly disclosed this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
containerd CRI — image-config
LABELflows to restart-monitorbinary://logger: host-root command execution from an image pullCVE-2026-53488 / GHSA-xhf5-7wjv-pqxp
More information
Details
Impact
A bug was found in containerd where the CRI plugin propagates labels from an image config (
LABELinstruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used.
Credits
The containerd project would like to thank Anthropic Research, in collaboration with Claude, the GKE Security Team using Gemini, and Robert Prast (@robertprast) for independently discovering and responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
containerd image-triggered runtime DoS via unbounded group parsing
CVE-2026-47262 / GHSA-jpcc-p29g-p8mq
More information
Details
Impact
A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components.
Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images or schedule pods.
Credits
The containerd project would like to thank Jakub Ciolek (@jake-ciolek) at AlphaSense and Kyle Elliott @ Trail of Bits who independently discovered and responsibly disclosed this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
containerd CRI — image-config
LABELflows to restart-monitorbinary://logger: host-root command execution from an image pullCVE-2026-53488 / GHSA-xhf5-7wjv-pqxp
More information
Details
Impact
A bug was found in containerd where the CRI plugin propagates labels from an image config (
LABELinstruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used.
Credits
The containerd project would like to thank Anthropic Research, in collaboration with Claude, the GKE Security Team using Gemini, and Robert Prast (@robertprast) for independently discovering and responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
containerd/containerd (github.com/containerd/containerd)
v1.7.33: containerd 1.7.33Compare Source
Welcome to the v1.7.33 release of containerd!
The thirty-third patch release for containerd 1.7 contains various fixes
and updates including security patches.
Security Updates
containerd
go-jose
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
17 commits
7517e6737Prepare release notes for v1.7.33ab306518aMerge commit from forkd34cdafdaMerge commit from fork9ab2b7a89Bound user-database file reads in openBoundedUserFile1e9806f90Merge commit from fork4d8ba4d23Do not propagate reserved labels from image configs74c728c13update runc binary to v1.3.6947caa4b7update go to 1.26.4/1.25.11e884e964eConfigure udevd children-max for root-testb9e756888Clean up disk space in node e2e workflow4dfc1844eBump go-jose to v3.0.5 to address CVE-2026-34986Dependency Changes
Previous release can be found at v1.7.32
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.