CVE-2026-50195
Publication date 22 June 2026
Last updated 9 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Read the notes from the security team
Why is this CVE high priority?
Critical severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| containerd | 26.04 LTS resolute |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| containerd-app | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble |
Fixed 2.2.1-0ubuntu1~24.04.3
|
|
| 22.04 LTS jammy |
Fixed 2.2.1-0ubuntu1~22.04.2
|
|
| 20.04 LTS focal |
Not affected
|
|
| containerd-stable | 26.04 LTS resolute |
Fixed 2.2.2-0ubuntu1.1
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
alexmurray
Traditionally the containerd source package contained both the library and docker application. However, in releases that contain the containerd-app source package, the containerd source package contains only the library whilst the docker application itself is contained in the containerd-app package.
mdeslaur
containerd-app gets new upstream versions, containerd-stable gets backported security updates and minor point updates
Severity score breakdown
CVSS version:
Base score
5.6 · Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:L
Base score
9.9 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8472-1
- containerd vulnerabilities
- 25 June 2026
- USN-8473-1
- containerd vulnerabilities
- 25 June 2026