AWS has identified five vulnerabilities in containerd’s Container Runtime Interface (CRI) plugin affecting versions 1.7 through 2.3, impacting managed services including EKS, ECS, Fargate, Bottlerocket, and Amazon Linux. The flaws range from arbitrary host file reads and command execution via image labels, to container checkpoint abuse and a runtime denial-of-service. Exploitation could allow a malicious container image or checkpoint to compromise host systems or disrupt container workloads.

Security Architect’s Take: Audit your EKS, ECS, and Fargate environments for exposure and apply AWS-provided patches or updated AMIs/node images immediately; also restrict who can push container images or initiate checkpoint restores, as several CVEs are exploitable via crafted images or checkpoint archives.

Original advisory: Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262