Skip to content

vendor: github.com/containerd/containerd/v2 v2.2.5#3920

Merged
crazy-max merged 1 commit into
docker:masterfrom
thaJeztah:bump_containerd
Jul 1, 2026
Merged

vendor: github.com/containerd/containerd/v2 v2.2.5#3920
crazy-max merged 1 commit into
docker:masterfrom
thaJeztah:bump_containerd

Conversation

@thaJeztah

@thaJeztah thaJeztah commented Jun 19, 2026

Copy link
Copy Markdown
Member

vendor: github.com/containerd/containerd/v2 v2.2.5

The fifth patch release for containerd 2.2 contains various fixes
and updates including security patches.

Security Updates

@thaJeztah thaJeztah marked this pull request as draft June 19, 2026 08:19
- full diff: containerd/containerd@v2.2.4...v2.2.5
- release notes: https://github.com/containerd/containerd/releases/tag/v2.2.5

The fifth patch release for containerd 2.2 contains various fixes
and updates including security patches.

-  CVE-2026-50195 / [GHSA-cvxm-645q-p574] CRI: checkpoint import allows local image tag poisoning
-  CVE-2026-53488 / [GHSA-xhf5-7wjv-pqxp] CRI: image-config LABEL flows to host-root command execution from an image pull
-  CVE-2026-53492 / [GHSA-33vj-92qq-66hc] CRI: CDI annotation smuggling during CRI checkpoint restore
-  CVE-2026-53489 / [GHSA-rgh6-rfwx-v388] CRI: Arbitrary host file read via symlink following in CRI checkpoint restore
-  CVE-2026-47262 / [GHSA-jpcc-p29g-p8mq] containerd image-triggered runtime DoS via unbounded group parsing

[GHSA-cvxm-645q-p574]: GHSA-cvxm-645q-p574
[GHSA-xhf5-7wjv-pqxp]: GHSA-xhf5-7wjv-pqxp
[GHSA-33vj-92qq-66hc]: GHSA-33vj-92qq-66hc
[GHSA-rgh6-rfwx-v388]: GHSA-rgh6-rfwx-v388
[GHSA-jpcc-p29g-p8mq]: GHSA-jpcc-p29g-p8mq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@crazy-max crazy-max added this to the v0.36.0 milestone Jul 1, 2026
@crazy-max crazy-max merged commit 490fe96 into docker:master Jul 1, 2026
160 checks passed
@thaJeztah thaJeztah deleted the bump_containerd branch July 1, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants