containerd
v2.3.1Kubernetes Corecontainerd 2.3.1 patches CVE-2026-46680 and fixes several runtime/snapshotter bugs including seccomp hardening that blocks AF_ALG sockets by default.
securityPatch CVE-2026-46680 now — upgrade from 2.3.0
CVE-2026-46680 is fixed in this release. Details are in the containerd security advisory. If you're on 2.3.0, treat this as a mandatory upgrade. Check your package manager or deployment pipeline to roll out 2.3.1 across all nodes before the vulnerability details are widely circulated.
securityAF_ALG blocked in default seccomp policy — test workloads that use kernel crypto
The default seccomp profile now blocks AF_ALG (Linux kernel crypto API via sockets). Most containerized applications won't touch this, but anything using AF_ALG directly for cryptographic operations will break. Before upgrading in production, verify your workloads don't rely on AF_ALG — run a quick strace or audit your application's socket calls. Custom seccomp profiles are unaffected.
breakingNon-runc runtime users: test sandbox task API behavior after upgrade
The sandbox task API endpoint fix and deprecation of task fields in Runc options targets non-runc runtime setups (e.g., Kata Containers, gVisor). If your cluster uses alternative runtimes, validate that container creation and task management still work as expected post-upgrade. The deprecation of task fields means you should audit any custom Runc options configs to remove deprecated fields before they're removed in a future version.
主な変更 (5)
- CVE-2026-46680 patched — upgrade immediately if running 2.3.0
- Default seccomp policy now blocks AF_ALG socket family, tightening container isolation
- Out-of-range USER values in OCI spec now return explicit errors instead of triggering unexpected username/group lookups
- Sandbox task API endpoints fixed for non-runc runtimes; task fields in Runc options deprecated
- BoltDB files for metadata and mount plugins now properly closed on server shutdown, preventing resource leaks