AWS has identified five vulnerabilities in containerd’s Container Runtime Interface (CRI) plugin affecting versions 1.7 through 2.3, impacting managed services including EKS, ECS, Fargate, Bottlerocket, and Amazon Linux. The flaws range from arbitrary host file reads and command execution via image labels, to container checkpoint abuse and a runtime denial-of-service. Exploitation could allow a malicious container image or checkpoint to compromise host systems or disrupt container workloads.

Security Architect’s Take: Audit your EKS, ECS, and Fargate environments for exposure and apply AWS-provided patches or updated AMIs/node images immediately; also restrict who can push container images or initiate checkpoint restores, as several CVEs are exploitable via crafted images or checkpoint archives.

Original advisory: Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262

Multiple high-severity vulnerabilities have been discovered in containerd, the container runtime used by Google Kubernetes Engine (GKE). Attackers with permissions to create Pods can exploit these flaws to bypass Kubernetes security boundaries, potentially compromising the underlying host, poisoning image caches, or causing denial of service. Although some CVEs are rated Critical in containerd upstream, GKE classifies them as High due to the prerequisite of cluster-level Pod creation privileges.

Security Architect’s Take: Prioritise upgrading affected GKE node pools to patched containerd versions immediately, and in the interim review RBAC policies to restrict Pod creation permissions to only trusted identities — limiting who can create Pods is the most effective compensating control given that privilege is the primary exploitation prerequisite.

Original advisory: GCP-2026-037