RATATOSKRATATOSK
ログイン

containerd

v2.1.9Kubernetes Core
2026年6月19日

containerd v2.1.9 is a security-focused patch release fixing 5 CVEs. Upgrade immediately if you run any containerd 2.1.x deployment.

  • securityPatch 5 CVEs — upgrade containerd 2.1.x now

    This release closes 5 CVEs in containerd itself. The advisories are not yet public so severity details are unavailable, but 5 CVEs in a single patch release is unusually high. Any team running containerd 2.1.x on production nodes should plan an upgrade this week. Check your Kubernetes node images, managed node groups, and any bare-metal CRI setups.

  • securityrunc updated to v1.3.6 — verify your runc version separately

    The bundled runc binary ships as v1.3.6, which likely carries its own fixes. If you manage runc independently (common on Kubernetes nodes), confirm you are also running v1.3.6 or later — upgrading containerd alone will not replace a separately installed runc binary.

  • enhancementCheckpoint restore hardened against malicious archive content

    Three CRI fixes tighten checkpoint/restore: unexpected archive content is now rejected, re-tagging of restored checkpoints is skipped, and CDI annotations are filtered. If your team uses container checkpointing (e.g., CRIU-based live migration), test restore workflows after upgrading to confirm behavior is unchanged.

主な変更 (5)

  • 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • runc dependency updated to v1.3.6
  • Go runtime updated to 1.26.4 / 1.25.11
  • CRI: CDI annotations filtered on checkpoint restore to prevent label propagation issues
  • User-database file reads bounded in openBoundedUserFile to prevent unbounded resource consumption