Skip to content

fix(deps): bump containerd to v1.7.33 (CVE-2026-53488, CVE-2026-47262)#16

Merged
gitautomator[bot] merged 1 commit into
mainfrom
fix/bump-containerd-cve
Jun 24, 2026
Merged

fix(deps): bump containerd to v1.7.33 (CVE-2026-53488, CVE-2026-47262)#16
gitautomator[bot] merged 1 commit into
mainfrom
fix/bump-containerd-cve

Conversation

@francis-jjk

Copy link
Copy Markdown
Contributor

What

Bumps github.com/containerd/containerd from v1.7.32 to v1.7.33 (a direct dependency). Only go.mod / go.sum change.

Why — clears two Dependabot/Vanta findings

Severity CVE Advisory Issue
HIGH CVE-2026-53488 GHSA-xhf5-7wjv-pqxp CRI plugin propagated image-config LABELs to containers without validation → potential arbitrary command execution on the host
MEDIUM CVE-2026-47262 GHSA-jpcc-p29g-p8mq A maliciously crafted image could exhaust memory and OOM-kill containerd (DoS)

Both are fixed upstream in containerd 1.7.33.

Verification

  • go mod verify → all modules verified
  • This is a semver patch upgrade within the same minor (API-compatible)
  • Full Linux+cgo build runs in CI (the daemon imports Linux-only / cgo packages that cannot be cross-compiled on macOS)

🤖 Generated with Claude Code

…VE-2026-47262

Bumps github.com/containerd/containerd from v1.7.32 to v1.7.33.

- CVE-2026-53488 (HIGH, GHSA-xhf5-7wjv-pqxp): CRI plugin propagated image
  config labels to containers without validation, potentially allowing
  arbitrary command execution on the host.
- CVE-2026-47262 (MEDIUM, GHSA-jpcc-p29g-p8mq): a maliciously crafted image
  could trigger memory exhaustion and OOM-kill the containerd process (DoS).

Both are fixed in containerd 1.7.33. This is a semver patch upgrade
(API-compatible); only go.mod/go.sum change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Jingkang Jiang <jjk@cloudpilot.ai>
@gitautomator

gitautomator Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Thanks to your contribution, the maintainers will review it as soon as they can!

@gitautomator gitautomator Bot requested a review from jwcesign June 24, 2026 03:44
@jwcesign

Copy link
Copy Markdown
Contributor

/approve

@gitautomator gitautomator Bot merged commit a5ed9a8 into main Jun 24, 2026
2 checks passed
@gitautomator

gitautomator Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Unknown labels: lgtm, please add them for this repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants