A critical vulnerability has been identified in containerd, the industry-standard open-source container runtime embedded in Kubernetes and major cloud platforms. CVE-2026-50195 carries a CVSS score of 9.9 (CRITICAL) and poses a severe risk to containerized environments by enabling a form of local image cache poisoning.
This is not a theoretical supply-chain risk; it is a functional bypass of image trust mechanisms within a node. An attacker with the ability to create pods—often a low-privilege operation in compromised clusters—can manipulate the container runtime to pull malicious images and assign them trusted tags. When other workloads subsequently pull these images using IfNotPresent or Never policies, they unknowingly execute the attacker's payload. Defenders must patch immediately and audit their local image caches.
Technical Analysis
Affected Component & Severity
- CVE ID: CVE-2026-50195
- CVSS Score: 9.9 (CRITICAL)
- Affected Product: containerd (Open-source container runtime)
- Affected Versions:
- Versions prior to 2.3.2
- Versions prior to 2.2.5
- Versions prior to 2.1.9
The Vulnerability: Checkpoint Import Validation Bypass
Containerd supports a CRI (Container Runtime Interface) feature for checkpointing and restoring pods. This process serializes the state of a container, including references to the image used.
The vulnerability lies in the CRI checkpoint import process. When a checkpoint is restored, containerd fails to properly validate the image references specified within the checkpoint's configuration file.
The Attack Chain
- Initial Access: The attacker gains permissions to create pods within the cluster (e.g., via compromised credentials or a misconfigured RBAC policy).
- Payload Delivery: The attacker creates a pod with a crafted checkpoint archive. This archive contains configuration data specifying a malicious image source but requests that it be tagged with a benign, commonly used name (e.g.,
nginx:latestorpostgres:alpine). - Cache Poisoning: Upon import, containerd pulls the content from the attacker-controlled registry and tags it locally as the benign image. The node's local image cache is now poisoned.
- Lateral Movement/Execution: Other legitimate workloads on that node, configured to use that benign tag with
imagePullPolicy: IfNotPresent(orNever), will start containers using the attacker's malicious image instead of the official one.
Exploitation Status
While CVE-2026-50195 is recently published, the ease of exploitation (requiring only pod creation permissions) suggests that active scanning and exploitation efforts will emerge rapidly in the wild. Proof-of-concept code is trivial to construct given the nature of the flaw.
Detection & Response
Detecting this vulnerability requires monitoring for the abuse of the checkpoint import functionality and verifying the integrity of local image tags.
SIGMA Rules
The following Sigma rules detect the usage of ctr (the containerd CLI tool) to import checkpoints, which is the primary method of exploiting this flaw outside of direct API manipulation.
---
title: Potential Containerd Checkpoint Import Activity
id: 8d2f4a91-4c1a-45a0-9e1f-3b5c6d7e8f90
status: experimental
description: Detects the usage of 'ctr' to import checkpoints, which may indicate an attempt to exploit CVE-2026-50195 to poison the local image cache.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-50195
author: Security Arsenal
date: 2026/04/08
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/ctr'
CommandLine|contains:
- 'containers import'
- 'checkpoint import'
condition: selection
falsepositives:
- Legitimate administrator backup and restore operations
level: high
---
title: Containerd Image Tagging Anomaly
id: 9e3g5b02-5d2b-56b1-0f2g-4c6d7e8f9g01
status: experimental
description: Detects suspicious re-tagging of images via ctr that could indicate cache poisoning attempts.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-50195
author: Security Arsenal
date: 2026/04/08
tags:
- attack.defense_evasion
- attack.t1074.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/ctr'
CommandLine|contains: 'tag'
CommandLine|contains:
- 'localhost'
- '127.0.0.1'
condition: selection
falsepositives:
- Local image builds or development tagging
level: medium
KQL (Microsoft Sentinel)
Hunt for suspicious checkpoint imports or containerd CLI usage indicative of cache poisoning. This assumes Linux Syslog or CEF data is ingested into Sentinel.
// Hunt for containerd checkpoint import commands
Syslog
| where ProcessName contains \"ctr\"
| where SyslogMessage has \"containers import\" or SyslogMessage has \"checkpoint import\"
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| extend Timestamp = TimeGenerated
// Hunt for generic containerd suspicious activity
Syslog
| where ProcessName contains \"containerd\"
| where SyslogMessage has \"import\" or SyslogMessage has \"checkpoint\"
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| sort by TimeGenerated desc
Velociraptor VQL
This artifact hunts for the ctr binary execution and checks the version of containerd installed on the endpoint to identify vulnerable instances.
-- Hunt for ctr execution and containerd version
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
CreateTime
FROM pslist()
WHERE Name = \"ctr\"
AND CommandLine =~ \"import\"
-- Check containerd version for vulnerabilities
SELECT
F.Path,
F.Data AS VersionOutput
FROM read_file(filename=\"/usr/bin/containerd\", max_length=1024)
-- Note: Actually running the binary to check version is preferred if allowed
LET CheckVersion = SELECT
Stdout
FROM execve(argv=[\"/usr/bin/containerd\", \"--version\"])
SELECT Stdout
FROM CheckVersion
WHERE Stdout !~ \"2.3.2|2.2.5|2.1.9\"
Remediation Script (Bash)
This script identifies the containerd version and checks against the vulnerable ranges. It must be run on every node in the cluster.
#!/bin/bash
# Remediation Script for CVE-2026-50195
# Checks containerd version and provides remediation guidance
echo \"[*] Checking containerd version for CVE-2026-50195...\"
# Check if containerd is installed
if ! command -v containerd &> /dev/null; then
echo \"[!] containerd is not installed or not in PATH.\"
exit 1
fi
# Get version string
VERSION_OUTPUT=$(containerd --version)
echo \"[+] Detected: $VERSION_OUTPUT\"
# Extract version number (e.g., v2.1.9)\VERSION=$(echo \"$VERSION_OUTPUT\" | grep -oP '(?<=containerd github.com/containerd/containerd )v?\\K[0-9]+\\.[0-9]+\\.[0-9]+')
if [ -z \"$VERSION\" ]; then
echo \"[!] Could not parse version number.\"
exit 1
fi
echo \"[+] Parsed Version: $VERSION\"
# Compare versions (Assuming standard major.minor.patch)
# Vulnerable: < 2.3.2, < 2.2.5, < 2.1.9
IFS='.' read -r MAJOR MINOR PATCH <<< \"$VERSION\"
VULNERABLE=false
if [ \"$MAJOR\" -lt 2 ]; then
VULNERABLE=true
elif [ \"$MAJOR\" -eq 2 ]; then
if [ \"$MINOR\" -lt 1 ]; then
VULNERABLE=true
elif [ \"$MINOR\" -eq 1 ] && [ \"$PATCH\" -lt 9 ]; then
VULNERABLE=true
elif [ \"$MINOR\" -eq 2 ] && [ \"$PATCH\" -lt 5 ]; then
VULNERABLE=true
elif [ \"$MINOR\" -eq 3 ] && [ \"$PATCH\" -lt 2 ]; then
VULNERABLE=true
elif [ \"$MINOR\" -gt 3 ]; then
VULNERABLE=false # Assume future versions are safe, or verify manually
fi
fi
if [ \"$VULNERABLE\" = true ]; then
echo \"[!!!] ALERT: This version of containerd is VULNERABLE to CVE-2026-50195.\"
echo \"[ACTION REQUIRED]:\"
echo \" 1. Upgrade containerd to one of the following patched versions immediately:\"
echo \" - 2.3.2 or later\"
echo \" - 2.2.5 or later\"
echo \" - 2.1.9 or later\"
echo \" 2. Restart containerd service after upgrade.\"
echo \" 3. Verify patches via: containerd --version\"
else
echo \"[+] This version of containerd appears to be patched.\"
fi
Remediation
1. Patch Immediately
Upgrade containerd on all worker nodes (and control plane nodes if applicable) to one of the following secure versions:
- 2.3.2 (or later)
- 2.2.5 (or later)
- 2.1.9 (or later)
Refer to the official containerd GitHub repository for release binaries and upgrade instructions.
2. Verify Container Image Integrity
After patching, assume the cache may already be compromised on nodes where untrusted users had pod creation rights.
- Purge Local Caches: On production nodes where feasible, clear the local containerd image cache (
ctr images rm ...or wiping/var/lib/containerd) to force a fresh pull of trusted images from the registry. - Restart Workloads: Restart pods to ensure they are using validated images.
3. Restrict Pod Creation Permissions
As a temporary mitigation (or permanent hardening):
- Review Kubernetes RBAC policies. Ensure only trusted service accounts and users have permissions to create pods (
pods/create). - Implement Pod Security Standards (PSS) or Pod Security Policies (PSP) to restrict the capabilities of untrusted workloads.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.