containerd
v2.0.9Kubernetes Corecontainerd 2.0.9 patches CVE-2026-46680 and fixes a TOCTOU race in tar extraction, lost container exit events on restart, and several security hardening issues.
securityPatch CVE-2026-46680 now
A security vulnerability tracked as CVE-2026-46680 is fixed in this release. Any containerd 2.0.x deployment should be upgraded to 2.0.9 immediately. Check the GHSA advisory for affected configurations and severity before scheduling maintenance windows — this shouldn't wait.
securityTOCTOU fix in tar extraction reduces image unpack risk
The TOCTOU race during tar extraction could be exploited with a crafted image layer to escape expected paths. This is relevant for any environment pulling untrusted or third-party images. Upgrade and consider auditing your image pull policies if you haven't already restricted sources.
breakingCheck AppArmor configs if running pre-3.0 AppArmor
The AppArmor ABI field is now set conditionally, so systems running AppArmor older than 3.0 won't have an incompatible ABI injected into generated profiles. If you've been working around this with custom profiles, test your AppArmor setup after upgrading to confirm behavior is as expected.
enhancementFix for lost exit events matters for high-churn workloads
If you've seen containers stuck in unexpected states after a containerd restart — particularly in Kubernetes environments with rapid pod cycling — this fix addresses the root cause. No config change needed; upgrading is enough.
Key changes (5)
- CVE-2026-46680 patched — upgrade immediately, details in the security advisory
- TOCTOU race condition in tar extraction fixed, reducing potential for path traversal during image unpack
- AF_ALG socket family now blocked in default seccomp policy, narrowing the kernel attack surface
- Container exit events no longer dropped when they arrive before CRI info is cached during containerd restart
- Sandbox service bugs fixed: Create fields forwarded correctly and event topics no longer misconfigured