CVE-2026-53488

high Red Hat
CVSS v3 Base Score
8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.2%
Exploitation probability in 30 days
Top 86% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: July 1, 2026 (8 days ago)
Last Modified: July 1, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.

CWE

CWE-78

Affected Products

Assisted Installer for Red Hat OpenShift Container Platform 2Confidential Compute AttestationDeployment Validation OperatorGatekeeper 3Kernel Module Management Operator for Red Hat OpenshiftLogging Subsystem for Red Hat OpenShiftLogical Volume Manager StorageMachine Deletion Remediation OperatorMCP Server for Red Hat OpenShiftMigration Toolkit for Containers

References