containerd
v2.3.2Kubernetes Corecontainerd 2.3.2 is a security-heavy patch release fixing 5 CVEs alongside runtime stability fixes. Upgrade promptly if you're running 2.3.x in production.
security5 CVEs fixed — upgrade 2.3.x nodes now
Five CVEs are patched in this release, covering containerd's core. The advisories are not yet fully public, but the breadth (5 in one patch) suggests meaningful attack surface. Teams running containerd 2.3.x in any environment should upgrade to 2.3.2 without waiting for the next maintenance window. Check your node provisioning pipelines and update the containerd binary alongside runc (now v1.4.3).
enhancementRetry on transient network errors during image pull
The resolver now retries on transient network errors when the last configured host is tried. This reduces pull failures in flaky network environments without requiring any config change. No action needed, but useful context if you've been seeing intermittent image pull errors under network instability.
enhancementSlow container creation no longer causes RPC timeout failures
A lock in the runc shim was held across the runc create call, causing concurrent RPC timeouts and startup failures when container creation was slow. This is now fixed. If you've seen containers stuck or failing to start under load, this patch likely addresses it.
主な変更 (5)
- 5 CVEs patched (CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262) — full advisories on GitHub Security
- runc updated to v1.4.3 and Go runtime bumped to 1.26.4
- golang.org/x/crypto bumped from v0.49.0 to v0.53.0, along with other golang.org/x dependency updates
- Fixed a data race in Windows shim log reads (deferredPipeConnection)
- Fixed concurrent task RPC timeout causing container startup failures during slow container creation