Security patch release fixing CVE-2026-46680 plus runtime bugs in sandbox service, AppArmor compatibility, and OCI USER spec handling.
securityPatch CVE-2026-46680 immediately
CVE-2026-46680 is the primary driver for this release. Review the GHSA advisory to understand the attack surface and severity. If you run containerd 2.1.x in any environment, upgrading to 2.1.8 should be your next deployment task. There are no dependency changes, so the upgrade path is straightforward.
breakingOCI USER out-of-range values now fail explicitly — check your container specs
Previously, out-of-range USER values in OCI specs could silently fall through to username/group lookups, masking misconfigurations. Now containerd returns an explicit error. If any of your containers or image builds set numeric USER values outside valid UID/GID ranges, they will start failing visibly after this upgrade. Audit your specs before rolling out to production.
enhancementUpgrade if you run AppArmor < 3.0 or use sandbox-based runtimes
The conditional AppArmor abi fix is a real blocker for anyone on older AppArmor (e.g., Ubuntu 20.04 ships 2.x). The sandbox service bug also affects event-driven workflows and correct sandbox creation — silent misconfiguration is worse than a visible error. If you use Kata Containers or any sandbox-based runtime, this fix directly affects you.
主な変更 (5)
- CVE-2026-46680 addressed — check the advisory for scope and impact before upgrading
- OCI spec now returns explicit errors for out-of-range USER values instead of silently triggering unexpected username/group lookups
- Sandbox service bugs fixed: Create fields were not being forwarded correctly and event topics were broken
- AppArmor abi field now set conditionally, restoring compatibility with AppArmor versions below 3.0
- Volatile snapshotter now accepts both 'volatile' and 'fsync=volatile' mount option styles