containerd
v1.7.31Kubernetes Corev1.7.31 patches CVE-2026-35469 in spdystream, fixes a CNI DEL regression after restarts, and closes a credential leak in pod events via gRPC error sanitization.
securityPatch CVE-2026-35469 by upgrading to v1.7.31 now
CVE-2026-35469 affects the moby/spdystream library used for SPDY multiplexing. The fix is in spdystream v0.5.1, bundled here. If you're running any 1.7.x release prior to this, upgrade immediately — especially on clusters where the CRI streaming server is exposed or where kubectl exec/attach/port-forward traffic flows through containerd.
securityAudit pod event logs for previously leaked credentials
A bug caused raw error messages — potentially containing registry credentials — to be returned over gRPC and surface in pod events. After upgrading, review historical pod event logs (kubectl get events, or your log aggregation system) for any entries containing auth tokens, passwords, or image pull secrets from before this fix was applied. Rotate any credentials you find.
breakingVerify CNI network teardown is working correctly after upgrade
The CNI DEL fix means containers that previously left behind stale network state after a containerd restart will now properly clean up. This is the right behavior, but if you have automation or scripts that assumed CNI DEL was idempotent-by-absence (i.e., expected cleanup to be skipped), test those workflows. Nodes with a history of unclean restarts may see cleanup activity on first pod deletion post-upgrade.
Key changes (5)
- CVE-2026-35469: spdystream updated from v0.2.0 to v0.5.1 to address the vulnerability
- CNI DEL now correctly executes after a containerd restart — previously orphaned network teardowns were silently skipped
- gRPC error paths sanitized to prevent registry credentials from leaking into pod events
- runc binary bumped to v1.3.5
- TOCTOU race bug fixed in tar extraction