containerd
v2.1.7Kubernetes Corecontainerd 2.1.7 patches CVE-2026-35469 in spdystream and ships several hardening fixes including credential leak prevention via gRPC and a TOCTOU race in tar extraction.
securityPatch CVE-2026-35469 by upgrading to 2.1.7 now
CVE-2026-35469 in moby/spdystream is fixed in this release. spdystream is used in the CRI streaming path, so any cluster running Kubernetes workloads with exec/attach/port-forward is potentially exposed. Upgrade containerd to 2.1.7 on all nodes. No config changes needed, just a binary swap and daemon restart.
securityCredential leak via gRPC pod events is now closed
Before this fix, raw errors containing registry credentials could surface in pod events visible to namespace-scoped users. If your clusters allow broad pod event access, assume credentials may have been exposed in logs or event streams. Rotate any registry pull secrets used on affected clusters, then upgrade to 2.1.7 to prevent recurrence.
enhancementCNI DEL fix prevents IP/resource leaks after restarts
A bug meant CNI DEL was never called for sandboxes cleaned up after a containerd restart, leaking network resources. If you've seen stale IPs or CNI state after node restarts, this is likely why. Upgrade to 2.1.7 and consider draining nodes before restarting containerd to clear any existing leaked state.
主な変更 (5)
- CVE-2026-35469 patched via spdystream upgrade to v0.5.1
- gRPC error sanitization prevents credential leaks in pod events
- TOCTOU race condition fixed in tar extraction
- CNI DEL now executes correctly after containerd restart
- runc updated to v1.3.5; read-only bind-mount flags preserved in user namespaces