CVE-2026-50195
CVE-2026-50195 is a critical-severity vulnerability in Linuxfoundation Containerd with a CVSS 3.x base score of 9.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-345.
Key facts
- Severity: Critical (CVSS 3.x base score 9.9)
- CVSS v4: 5.6
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-345
- Affected product: Linuxfoundation Containerd
- Published:
- Last modified:
Description
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Frequently asked questions
- What is CVE-2026-50195?
- containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
- How severe is CVE-2026-50195?
- CVE-2026-50195 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-50195 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-50195?
- CVE-2026-50195 affects Linuxfoundation Containerd. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-50195?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2026-50195 published?
- CVE-2026-50195 was published on 2026-07-01 and last updated on 2026-07-02.
References
Affected products (1)
- cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
More vulnerabilities in Linuxfoundation Containerd
- CVE-2026-53492 — Critical (CVSS 9.6): containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation…
- CVE-2026-53488 — High (CVSS 8.8): containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI…
- CVE-2021-43816 — High (CVSS 8.0): containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or…
- CVE-2026-46680 — High (CVSS 7.8): containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers…
- CVE-2021-41103 — High (CVSS 7.8): containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was…
- CVE-2025-47291 — High (CVSS 7.5): containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where…
All CVEs affecting Linuxfoundation Containerd →
Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities
- CVE-2026-35051 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an…
- CVE-2014-8165 — Critical (CVSS 10.0): scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote…
- CVE-2022-36130 — Critical (CVSS 9.9): HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated…
- CVE-2026-50214 — Critical (CVSS 9.8): The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing…
- CVE-2025-15385 — Critical (CVSS 9.8): Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows…
- CVE-2025-8038 — Critical (CVSS 9.8): Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox…
Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →