RATATOSKRATATOSK
Sign in

containerd

v2.0.10Kubernetes Core
Jun 19, 2026

containerd v2.0.10 patches two CVEs (CVE-2026-53488, CVE-2026-47262) and updates runc to v1.3.6. Upgrade promptly if running 2.0.x in production.

  • securityTwo CVEs fixed — upgrade now

    CVE-2026-53488 and CVE-2026-47262 are both addressed in this release. The advisories (GHSA-xhf5-7wjv-pqxp and GHSA-jpcc-p29g-p8mq) have full details on impact and scope. Any containerd 2.0.x node running in production should be upgraded to v2.0.10 before assessing whether you're actually exposed — these are runtime-level issues and the blast radius can be broad.

  • securityrunc bumped to v1.3.6

    The runc binary shipped with containerd is updated to v1.3.6, which itself carries fixes from v1.3.4 and v1.3.5. If you manage runc separately (e.g., installed via package manager), verify your runc version independently and align it with v1.3.6.

  • enhancementImage config reserved labels no longer propagate

    Labels reserved by containerd are now stripped from image configs before use. If you rely on any tooling that reads propagated reserved labels from running containers, test behavior after upgrading — this is a quiet behavioral change that may affect label-based automation.

Key changes (5)

  • CVE-2026-53488 patched — see GHSA-xhf5-7wjv-pqxp for details
  • CVE-2026-47262 patched — see GHSA-jpcc-p29g-p8mq for details
  • runc updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • Bounded reads added for user-database file access; reserved labels no longer propagated from image configs