chore(deps): update module github.com/containerd/containerd to v1.7.32 [security]#2726
Conversation
…2 [security] Signed-off-by: redhat-renovate-bot <redhat-internal-renovate@redhat.com>
redhat-renovate-bot
added
the
release-note-none
kubevirt-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the github.com/containerd/containerd dependency from version 1.7.30 to 1.7.32. The changes include a security improvement in the archive package by switching from path-based os.Chmod to file-descriptor-based f.Chmod to prevent race conditions, and an update to the mount logic to correctly handle the fsync=volatile option. I have no feedback to provide.
|
2 participants
This PR contains the following updates:
v1.7.30→v1.7.32GitHub Vulnerability Alerts
CVE-2026-46680
Impact
A bug was found in containerd where containers launched with a numeric
Userdirective that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an/etc/passwdfile mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the KubernetesrunAsNonRootrestriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.Patches
This bug has been fixed in the following containerd versions:
Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric
runAsUserin the Kubernetes PodsecurityContextoverrides theUSERdirective in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforcerunAsNonRootproperly regardless of this bug.Credits
The containerd project would like to thank Lei Wang (@ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.
Resources
For more information
If there are any questions or comments about this advisory:
To report a security issue in containerd:
containerd user ID handling bypass allows runAsNonRoot evasion
CVE-2026-46680 / GHSA-fqw6-gf59-qr4w
More information
Details
Impact
A bug was found in containerd where containers launched with a numeric
Userdirective that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an/etc/passwdfile mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the KubernetesrunAsNonRootrestriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.Patches
This bug has been fixed in the following containerd versions:
Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.
Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric
runAsUserin the Kubernetes PodsecurityContextoverrides theUSERdirective in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforcerunAsNonRootproperly regardless of this bug.Credits
The containerd project would like to thank Lei Wang (@ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.
Resources
For more information
If there are any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
containerd/containerd (github.com/containerd/containerd)
v1.7.32: containerd 1.7.32Compare Source
Welcome to the v1.7.32 release of containerd!
The thirty-second patch release for containerd 1.7 contains various fixes
and updates including a security patch.
containerd
Allow hosts.toml to contain only root-level fields without an explicit [host] section (#10028)
Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13450)
Apply hardening to block AF_ALG in default socket policy (#13406)
Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13299)
Set AppArmor abi conditionally to support versions < 3.0 (#13273)
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
17 commits
bc87d865cPrepare release notes for v1.7.32503f47946oci: return explicit error for out-of-range USER valuese55b747d3seccomp: Block AF_ALG in default socket policy4627a65f8seccomp: Document socket rule scope and socketcall limitation24007441dFix error parsing hosts.toml without anyhosttree940733149Support both styles of volatile mount option2b732c892apparmor: Set abi conditionally0db1e143aAdd GitHub Action for k8s node e2e tests3223a75c2Update for latest updates to release tool1b30082ebUpdate release process after 1.7This release has no dependency changes
Previous release can be found at v1.7.31
v1.7.31: containerd 1.7.31Compare Source
Welcome to the v1.7.31 release of containerd!
The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.
Security Updates
Highlights
Container Runtime Interface (CRI)
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
37 commits
7d2662653Prepare release notes for v1.7.313f795c02aupdate github.com/moby/spdystream v0.5.17b1e1b17bupdate to Go 1.25.9, 1.26.2b673f2d42update golangci-lint to v2.9.0 with go1.26 supportd88d8513aremove windows/arm from cross builda763407b5Ignore warnings for golangci-lint bump03dcd8360ci: bump golangci from 6.5.2 to 7.0.0c08711218Update github.com/moby/spdystream v0.2.0->v0.5.0043548f6dSkip TestExportAndImportMultiLayer on s390xe99bd6050[release/1.7] update runc binary to v1.3.53a3103aafCODEOWNERS: mark Sam and Chris as owners for 1.79b4cfa271Ignore NOCHANGE error53e9e73f0ci: modprobe xt_comment on almalinux61c2733fdFix TOCTOU race bug in tar extractionf854c1890fix issue where cni del is never executed5c091d92eapparmor: explicitly set abi/3.0177ac10feintegration: Fix TestImageLoad() failure on CI56da43d0fupdate to go1.24.13, go1.25.75cb3cb9baci: bump go 1.24.12, 1.25.6b1fa03843fix: sanitize error before gRPC return to prevent credential leak in pod eventse2c93a42ccri: emit warning for concurrent CreateContainerDependency Changes
Previous release can be found at v1.7.30
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.