Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-cvxm-645q-p574 | containerd: CRI checkpoint import allows local image tag poisoning |
Ubuntu USN |
USN-8472-1 | containerd vulnerabilities |
Ubuntu USN |
USN-8473-1 | containerd vulnerabilities |
Fri, 03 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 03 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-1289 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Thu, 02 Jul 2026 04:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Containerd
Containerd containerd |
|
| Vendors & Products |
Containerd
Containerd containerd |
Wed, 01 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9. | |
| Title | containerd: CRI checkpoint import allows local image tag poisoning | |
| Weaknesses | CWE-345 CWE-829 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-01T18:32:29.659Z
Reserved: 2026-06-03T22:05:13.645Z
Link: CVE-2026-50195
Updated: 2026-07-01T18:32:26.407Z
No data.
OpenCVE Enrichment
Updated: 2026-07-07T14:30:04Z
Github GHSA
Ubuntu USN