CVE-2026-46680

Name of the Vulnerable Software and Affected Versions containerd versions prior to 2.3.1 containerd versions prior to 2.2.4 containerd versions prior to 2.0.9 containerd versions prior to 1.7.32

Description An input validation error exists where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image includes an /etc/passwd file that maps this large numeric string to root, the container runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, affecting environments that require containers to run as a non-root user.

Recommendations Update to version 2.3.1. Update to version 2.2.4. Update to version 2.0.9. Update to version 1.7.32. Ensure only trusted images are used and only trusted users have permissions to import images. Enforce a specific numeric runAsUser in the Kubernetes Pod securityContext to override the USER directive in the image.