Listen to this Post
The vulnerability CVE-2026-46680 arises from an input validation error in containerd when processing the `User` directive for container images. Specifically, if the `User` field contains a numeric string that cannot be parsed as a 32-bit integer (e.g., due to being too large to fit within the 32-bit signed integer range), containerd incorrectly interprets this numeric string as a username rather than a UID. This misinterpretation triggers a fallback mechanism where containerd attempts to resolve this username against the container’s `/etc/passwd` file. An attacker can exploit this by crafting a malicious container image that provides a specific `/etc/passwd` entry. This entry maps the problematic large numeric string to the root user (UID 0). Consequently, when the container is launched, the parsing flaw causes the container to ultimately execute all processes with root privileges, effectively bypassing any Kubernetes securityContext `runAsNonRoot` restrictions that are intended to enforce non-root execution. This vulnerability is fixed in containerd versions 1.7.32, 2.0.9, 2.2.4, and 2.3.1.
Platform: Containerd
Version : <1.7.32,<2.0.9,<2.2.4,<2.3.1
Vulnerability: Input Validation Error
Severity : High
date : 2026-05-21
Prediction: Already patched
Analytics under heading What Undercode Say:
Check current containerd version
containerd --version
Verify node state for vulnerable pods (e.g., those using numeric User strings)
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.containers[].securityContext.runAsNonRoot == true) | {name: .metadata.name, namespace: .metadata.namespace, node: .spec.nodeName}'
How Exploit:
An attacker pushes a malicious image with a `User` field like `4294967296` (2^32, too large for 32-bit) and a crafted `/etc/passwd` mapping this string to root. When run, the container executes as root despite runAsNonRoot: true.
Protection from this CVE:
Upgrade to containerd >=1.7.32, >=2.0.9, >=2.2.4, or >=2.3.1. Alternatively, enforce a numeric `runAsUser` in the Pod `securityContext` or use Kubernetes >=1.34.
Impact:
Complete bypass of Kubernetes `runAsNonRoot` restriction, allowing containers to run as root (UID 0) when non-root execution is required, potentially leading to container escape and host compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

