CVE-2026-53489
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A vulnerability in containerd allows reading arbitrary files on the host via kubectl logs. The bug occurs in the CRI plugin, which restores container.log from a checkpoint image without validating a symlinked path.
Risk Assessment
An attacker could exploit this vulnerability to read sensitive host files, potentially leading to data leakage or privilege escalation.
Recommendation
Immediately update containerd to version 2.3.2, 2.2.5, or 2.1.9, depending on the branch in use.
Original NVD description (English source)
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

