containerd
v2.2.5Kubernetes Corecontainerd 2.2.5 is a security-heavy patch release fixing 5 CVEs, with runc bumped to v1.3.6 and Go updated to 1.26.4/1.25.11. Upgrade promptly if running 2.2.x.
securityPatch 5 CVEs — upgrade 2.2.x nodes now
This release closes 5 CVEs in containerd itself. Details are in the linked security advisories. Any cluster running containerd 2.2.x should upgrade to 2.2.5. The runc bump to v1.3.6 may also carry its own fixes — check the runc release notes before rolling out.
securitygolang.org/x/crypto and net updated — relevant if you build custom plugins
golang.org/x/crypto jumped from v0.45.0 to v0.53.0 and golang.org/x/net from v0.47.0 to v0.55.0. If you vendor containerd or build plugins against its libraries, re-vendor and rebuild. The crypto jump in particular covers several upstream security fixes across that range.
enhancementCheckpoint/restore is more reliable in this release
Three separate CRI fixes land here: CDI annotations are now filtered on checkpoint restore, restored checkpoints are no longer incorrectly re-tagged, and the restore path is hardened against malformed archive content. If you use container checkpoint/restore in production, this release is worth prioritizing.
主な変更 (5)
- 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
- runc binary updated to v1.3.6
- Go runtime updated to 1.26.4/1.25.11
- golang.org/x/crypto bumped from v0.45.0 to v0.53.0 along with other x/ dependency updates
- CRI checkpoint restore hardened: CDI annotation filtering, re-tagging fix, and robustness against unexpected archive content