RATATOSKRATATOSK
ログイン

containerd

v2.2.5Kubernetes Core
2026年6月19日

containerd 2.2.5 is a security-heavy patch release fixing 5 CVEs, with runc bumped to v1.3.6 and Go updated to 1.26.4/1.25.11. Upgrade promptly if running 2.2.x.

  • securityPatch 5 CVEs — upgrade 2.2.x nodes now

    This release closes 5 CVEs in containerd itself. Details are in the linked security advisories. Any cluster running containerd 2.2.x should upgrade to 2.2.5. The runc bump to v1.3.6 may also carry its own fixes — check the runc release notes before rolling out.

  • securitygolang.org/x/crypto and net updated — relevant if you build custom plugins

    golang.org/x/crypto jumped from v0.45.0 to v0.53.0 and golang.org/x/net from v0.47.0 to v0.55.0. If you vendor containerd or build plugins against its libraries, re-vendor and rebuild. The crypto jump in particular covers several upstream security fixes across that range.

  • enhancementCheckpoint/restore is more reliable in this release

    Three separate CRI fixes land here: CDI annotations are now filtered on checkpoint restore, restored checkpoints are no longer incorrectly re-tagged, and the restore path is hardened against malformed archive content. If you use container checkpoint/restore in production, this release is worth prioritizing.

主な変更 (5)

  • 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • runc binary updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • golang.org/x/crypto bumped from v0.45.0 to v0.53.0 along with other x/ dependency updates
  • CRI checkpoint restore hardened: CDI annotation filtering, re-tagging fix, and robustness against unexpected archive content