StackPatch is liveSee product

Back to CVE digest
Ubuntu USN · USN-8471-1

containerd vulnerabilities

Published: Thu, 25 Jun 2026 13:15

CVE-2026-33814CVE-2026-47262CVE-2026-53488

Summary

Several security issues were fixed in containerd.

Details

It was discovered that containerd incorrectly handled HTTP/2 SETTINGS frames. A remote attacker could possibly use this issue to cause containerd to enter an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2026-33814) Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly handled group parsing when creating containers from images. An attacker could possibly use this issue to cause containerd to consume excessive memory, resulting in a denial of service. (CVE-2026-47262) Robert Prast discovered that containerd incorrectly propagated labels from image configurations to containers. An attacker could possibly use this issue to execute arbitrary code on the host. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-53488)

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu bionic

  • containerd1.6.12-0ubuntu1~18.04.1+esm4apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~18.04.1+esm4 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • containerd1.6.12-0ubuntu1~18.04.1+esm4apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~18.04.1+esm4 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-dev1.6.12-0ubuntu1~18.04.1+esm4apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~18.04.1+esm4 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu focal

  • containerd1.6.12-0ubuntu1~20.04.8+esm2apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~20.04.8+esm2 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-dev1.6.12-0ubuntu1~20.04.8+esm2apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~20.04.8+esm2 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu jammy

  • containerd1.6.12-0ubuntu1~22.04.11apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~22.04.11 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-dev1.6.12-0ubuntu1~22.04.11apt_upgrade

    Standard apt upgrade. Install 1.6.12-0ubuntu1~22.04.11 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu noble

  • containerd1.6.24~ds1-1ubuntu1.3+esm3apt_upgrade

    Standard apt upgrade. Install 1.6.24~ds1-1ubuntu1.3+esm3 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-dev1.6.24~ds1-1ubuntu1.3+esm3apt_upgrade

    Standard apt upgrade. Install 1.6.24~ds1-1ubuntu1.3+esm3 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu resolute

  • containerd1.7.24~ds1-10ubuntu1+esm1apt_upgrade

    Standard apt upgrade. Install 1.7.24~ds1-10ubuntu1+esm1 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-api-dev1.7.24~ds1-10ubuntu1+esm1apt_upgrade

    Standard apt upgrade. Install 1.7.24~ds1-10ubuntu1+esm1 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-api-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-containerd-containerd-dev1.7.24~ds1-10ubuntu1+esm1apt_upgrade

    Standard apt upgrade. Install 1.7.24~ds1-10ubuntu1+esm1 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-containerd-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu xenial

  • containerd1.2.6-0ubuntu1~16.04.6+esm7apt_upgrade

    Standard apt upgrade. Install 1.2.6-0ubuntu1~16.04.6+esm7 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • containerd1.2.6-0ubuntu1~16.04.6+esm7apt_upgrade

    Standard apt upgrade. Install 1.2.6-0ubuntu1~16.04.6+esm7 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y containerd

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • golang-github-docker-containerd-dev1.2.6-0ubuntu1~16.04.6+esm7apt_upgrade

    Standard apt upgrade. Install 1.2.6-0ubuntu1~16.04.6+esm7 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y golang-github-docker-containerd-dev

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Are YOU affected by USN-8471-1?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8471-1 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash
Form-based quickscan Read the bash source first
Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.

Start free trial →See StackPatch →Live audit log →