containerd
v1.7.33Kubernetes Corecontainerd 1.7.33 patches two containerd CVEs and one go-jose CVE, updates runc to v1.3.6, and bumps Go. Security-only motivation to upgrade.
securityUpgrade to 1.7.33 for three CVE fixes
Two CVEs in containerd itself (CVE-2026-53488, CVE-2026-47262) and one in go-jose (CVE-2026-34986) are patched here. Full details are in the GitHub security advisories. If you are running containerd 1.7.x in production, upgrade now — there is no other reason to stay on an earlier 1.7.x patch.
securityReserved labels can no longer leak from image configs
A fix was added to prevent reserved labels being propagated from image configs. If your environment relies on label-based access control or policy enforcement, verify that behavior is unchanged after upgrading and check the advisory for CVE-2026-47262 for scope.
enhancementrunc updated to v1.3.6
The bundled runc binary moves from whatever 1.7.32 shipped to v1.3.6. If you manage runc separately, make sure your installed version is at least v1.3.6 to stay consistent with what containerd expects.
Key changes (5)
- CVE-2026-53488 and CVE-2026-47262 patched in containerd core (advisories on GitHub)
- CVE-2026-34986 in go-jose fixed by bumping go-jose/v3 to v3.0.5
- runc binary updated to v1.3.6
- Go runtime updated to 1.26.4 / 1.25.11
- User-database file reads now bounded in openBoundedUserFile (hardening fix)