chore(deps): update module github.com/containerd/containerd to v1.7.32 [security] (main)

[crossplane-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.30 → v1.7.32

---

containerd user ID handling bypass allows runAsNonRoot evasion

CVE-2026-46680 / GHSA-fqw6-gf59-qr4w

More information

Details

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
• https://github.com/advisories/GHSA-fqw6-gf59-qr4w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

containerd user ID handling bypass allows runAsNonRoot evasion

CVE-2026-46680 / GHSA-fqw6-gf59-qr4w

More information

Details

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.32: containerd 1.7.32

Compare Source

Welcome to the v1.7.32 release of containerd!

The thirty-second patch release for containerd 1.7 contains various fixes
and updates including a security patch.

• containerd

  • CVE-2026-46680

• Allow hosts.toml to contain only root-level fields without an explicit [host] section (#​10028)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#​13450)

• Apply hardening to block AF_ALG in default socket policy (#​13406)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#​13299)

• Set AppArmor abi conditionally to support versions < 3.0 (#​13273)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

• Maksym Pavlenko
• Chris Henzie
• Derek McGowan
• Paweł Gronowski
• Samuel Karp
• Wei Fu
• Brad Davidson
• Brian Goff
• LEI WANG
• Phil Estes

17 commits

• bc87d865c Prepare release notes for v1.7.32
• oci: return explicit error for out-of-range USER values (#​13450)
  • 503f47946 oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#​13406)
  • e55b747d3 seccomp: Block AF_ALG in default socket policy
  • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
• Fix issue with empty host tree in hosts.toml (#​10028)
  • 24007441d Fix error parsing hosts.toml without any host tree
• Support both styles of volatile mount option (#​13299)
  • 940733149 Support both styles of volatile mount option
• apparmor: Set abi conditionally (#​13273)
  • 2b732c892 apparmor: Set abi conditionally
• Add GitHub Action for k8s node e2e tests (#​13258)
  • 0db1e143a Add GitHub Action for k8s node e2e tests
• Update release process after 1.7 (#​13236)
  • 3223a75c2 Update for latest updates to release tool
  • 1b30082eb Update release process after 1.7

This release has no dependency changes

Previous release can be found at v1.7.31

v1.7.31: containerd 1.7.31

Compare Source

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

Security Updates

• spdystream
  • CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

• Fix CNI issue where DEL is never executed after a restart (#​12931)
• Sanitize error before gRPC return to prevent possible credential leak in pod events (#​12805)
• Improve error message and add warning when concurrent container creation is detected (#​12744)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Maksym Pavlenko
• Akhil Mohan
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Henzie
• Michael Zappa
• Ricardo Branco
• Shachar Tal
• ningmingxiao
• yashsingh74

Changes

37 commits

• Prepare release notes for v1.7.31 (#​13221)
  • 7d2662653 Prepare release notes for v1.7.31
• update github.com/moby/spdystream v0.5.1 (#​13220)
  • 3f795c02a update github.com/moby/spdystream v0.5.1
• update to Go 1.25.9, 1.26.2 (#​13200)
  • 7b1e1b17b update to Go 1.25.9, 1.26.2
  • b673f2d42 update golangci-lint to v2.9.0 with go1.26 support
  • d88d8513a remove windows/arm from cross build
  • a763407b5 Ignore warnings for golangci-lint bump
  • 03dcd8360 ci: bump golangci from 6.5.2 to 7.0.0
• Update github.com/moby/spdystream v0.2.0->v0.5.0 (#​13176)
  • c08711218 Update github.com/moby/spdystream v0.2.0->v0.5.0
• Skip TestExportAndImportMultiLayer on s390x (#​13152)
  • 043548f6d Skip TestExportAndImportMultiLayer on s390x
• update runc binary to v1.3.5 (#​13059)
  • e99bd6050 [release/1.7] update runc binary to v1.3.5
• CODEOWNERS: mark Sam and Chris as owners for 1.7 (#​13069)
  • 3a3103aaf CODEOWNERS: mark Sam and Chris as owners for 1.7
• Fix vagrant on CI (#​13064)
  • 9b4cfa271 Ignore NOCHANGE error
• ci: modprobe xt_comment on almalinux (#​12959)
  • 53e9e73f0 ci: modprobe xt_comment on almalinux
• Fix TOCTOU race bug in tar extraction (#​12970)
  • 61c2733fd Fix TOCTOU race bug in tar extraction
• Fix CNI issue where CNI DEL is never executed (#​12931)
  • f854c1890 fix issue where cni del is never executed
• apparmor: explicitly set abi/3.0 (#​12899)
  • 5c091d92e apparmor: explicitly set abi/3.0
• backport: integration: Fix TestImageLoad() failure on CI (#​12908)
  • 177ac10fe integration: Fix TestImageLoad() failure on CI
• update to go1.24.13, go1.25.7 (#​12873)
  • 56da43d0f update to go1.24.13, go1.25.7
  • 5cb3cb9ba ci: bump go 1.24.12, 1.25.6
• fix: sanitize error before gRPC return to prevent credential leak in pod events (#​12805)
  • b1fa03843 fix: sanitize error before gRPC return to prevent credential leak in pod events
• cri: emit warning for concurrent CreateContainer (#​12744)
  • e2c93a42c cri: emit warning for concurrent CreateContainer

Dependency Changes

• github.com/moby/spdystream v0.2.0 -> v0.5.1

Previous release can be found at v1.7.30

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.