containerd
v1.7.32Kubernetes Corecontainerd 1.7.32 is a security-focused patch addressing CVE-2026-46680, plus hardening the default seccomp profile by blocking AF_ALG sockets and fixing OCI spec USER handling.
securityPatch CVE-2026-46680 now — upgrade to 1.7.32
CVE-2026-46680 is the primary driver for this release. Details are in the containerd security advisory. If you're running any 1.7.x version, treat this as a mandatory upgrade. Check the advisory for severity and attack surface before deciding on your maintenance window — but don't defer this long.
securityAF_ALG is now blocked in the default seccomp profile — verify custom profiles
The default seccomp policy now blocks the AF_ALG (kernel crypto) socket family. Containers relying on AF_ALG for hardware crypto offloading will break after this upgrade. Audit your workloads — most standard containers won't be affected, but custom crypto or HSM-adjacent workloads might. If needed, override via a custom seccomp profile rather than relaxing the default.
breakingOut-of-range USER values now fail explicitly — check your container images
Previously, an out-of-range UID/GID in the OCI spec could silently trigger name lookups with unpredictable results. Now containerd returns an error. If you have images or specs with numeric USER values outside valid range, containers will fail to start instead of behaving unexpectedly. Run a pre-upgrade check on your image inventory, especially anything using high numeric UIDs.
enhancementAppArmor < 3.0 compatibility restored — relevant for older distros
If you're running containerd on Ubuntu 20.04, Debian Bullseye, or any distro shipping AppArmor 2.x, earlier 1.7.x releases may have caused AppArmor profile load failures. This fix conditionally omits the abi directive. Upgrade and verify AppArmor profile loading if you've been seeing related errors.
Key changes (5)
- CVE-2026-46680 patched — update immediately if running 1.7.x
- AF_ALG socket family now blocked in default seccomp socket policy, tightening the default container sandbox
- OCI spec USER values that are out-of-range now return an explicit error instead of silently triggering unexpected username/group lookups
- hosts.toml can now contain only root-level fields with no [host] section, fixing a config parsing bug
- AppArmor abi directive is now set conditionally, restoring compatibility with AppArmor < 3.0