RATATOSKRATATOSK
Sign in

containerd

v2.2.4Kubernetes Core
May 21, 2026

containerd v2.2.4 is a security-focused patch release addressing two CVEs plus several runtime fixes for overlay, sandbox, AppArmor, and seccomp behavior.

  • securityPatch both CVEs — update to v2.2.4 now

    Two CVEs are fixed here: one in containerd itself (CVE-2026-46680) and one in the go-jose dependency (CVE-2026-34986). Both affect production deployments. Don't wait for your next maintenance window — push this update through your standard emergency patch process. If you run containerd on Kubernetes nodes, this applies to all container runtimes backed by containerd regardless of the orchestrator.

  • securityAF_ALG is now blocked by default seccomp — test custom workloads

    The default seccomp profile now blocks AF_ALG (kernel crypto API via sockets). This reduces attack surface, but any workload relying on AF_ALG sockets — unusual but possible in cryptography-heavy or hardware-offload scenarios — will start seeing syscall denials. Run a quick audit of workloads with custom or permissive seccomp profiles before upgrading in production.

  • enhancementUserNS + overlay users should upgrade to fix layer extraction

    If you run rootless containers or pods using user namespaces with the overlay snapshotter, the previous 'rebase' capability caused layer extraction failures. This patch disables that capability automatically in UserNS contexts. No config change needed — just upgrade and verify your rootless workloads mount correctly post-update.

Key changes (5)

  • CVE-2026-46680 patched in containerd core — security advisory on GHSA-fqw6-gf59-qr4w
  • CVE-2026-34986 patched via go-jose bump to v4.1.4 — affects JWT/JWK processing
  • AF_ALG socket family blocked in default seccomp policy, closing a kernel crypto API attack surface
  • Overlay snapshotter disables 'rebase' capability in user namespaces, fixing layer extraction failures
  • OCI spec USER handling now returns explicit errors for out-of-range values instead of silent bad lookups