← back
CVE-2026-46680

containerd user ID handling bypass allows runAsNonRoot evasion

CVSS 7.3 HIGHEPSS 0.2%CWE-269
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.3EPSS 0.2%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
21 May 2026Public PoC
01 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
containerd · containerd
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.