Skip to content

OCPBUGS-96722:bump containerd to fix CVE-2026-53488#188

Open
jechen0648 wants to merge 1 commit into
openshift:mainfrom
jechen0648:fix-cve-2026-53488-containerd
Open

OCPBUGS-96722:bump containerd to fix CVE-2026-53488#188
jechen0648 wants to merge 1 commit into
openshift:mainfrom
jechen0648:fix-cve-2026-53488-containerd

Conversation

@jechen0648

@jechen0648 jechen0648 commented Jul 14, 2026

Copy link
Copy Markdown

Summary

  • Add containerd to the explicit INSTALL_PKGS list in the Dockerfile so the image is rebuilt with the patched RPM that fixes CVE-2026-53488.
  • The containerd package is present in the network-tools-rhel9 image via the ocp/5.0:tools base image but was not previously pinned explicitly. Listing it here ensures yum installs the latest available version (>= 1.7.33 / 2.x fixed releases) at build time.
  • The vulnerability allows host-root command execution via unvalidated image config labels in the CRI plugin.

Resolves: OCPBUGS-96722

Test plan

  • Verify image builds successfully with containerd installed at a fixed version (>= 1.7.33 or >= 2.0.10/2.1.9/2.2.5/2.3.2)
  • Confirm CVE scan on the rebuilt image no longer flags CVE-2026-53488

Made with Cursor

Summary by CodeRabbit

  • Chores
    • Updated the container build environment to include the containerd package.

Add containerd to the explicit INSTALL_PKGS in the Dockerfile so the
image is rebuilt with the patched RPM (>= 1.7.33/2.x fixed versions)
that validates image config labels before propagating them to the
container, preventing host-root command execution via the CRI plugin.

Resolves: OCPBUGS-96722

Signed-off-by: Jean Chen <jechen@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Walkthrough

The Dockerfile’s package installation list now includes containerd, with no other build stages or commands changed.

Changes

Containerd Installation

Layer / File(s) Summary
Required package list update
Dockerfile
Adds containerd to the alphabetically ordered INSTALL_PKGS list used by the image package installation step.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only Dockerfile changed; no Ginkgo tests or test titles were added or edited, so the stable-name check is not applicable.
Test Structure And Quality ✅ Passed Only Dockerfile changed; no Ginkgo test code or test patterns were introduced, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed Only Dockerfile changed; no Ginkgo/e2e tests were added or modified, so there’s nothing MicroShift-specific to validate.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only Dockerfile changed; no new Ginkgo e2e tests were added, so SNO multi-node compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only the Dockerfile package list changed to add containerd; no manifests, controllers, replicas, affinity, node selectors, or topology logic were modified.
Ote Binary Stdout Contract ✅ Passed Only Dockerfile changed; no process-level code or stdout writes were modified, so the OTE stdout contract is unaffected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only Dockerfile changed; no new Ginkgo e2e tests were added, so IPv6/disconnected compatibility concerns are not applicable.
No-Weak-Crypto ✅ Passed Diff only adds containerd to Dockerfile; no weak-crypto, custom crypto, or secret-comparison code is introduced.
Container-Privileges ✅ Passed The PR only adds containerd to Dockerfile INSTALL_PKGS; no privileged, hostPID/network/IPC, SYS_ADMIN, root, or allowPrivilegeEscalation settings were added.
No-Sensitive-Data-In-Logs ✅ Passed Only Dockerfile package list changed; no logging code or sensitive-data exposure was added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the Dockerfile change to add containerd for the CVE fix.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jechen0648 jechen0648 changed the title bump containerd to fix CVE-2026-53488 OCPBUGS-96722:bump containerd to fix CVE-2026-53488 Jul 14, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 14, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@jechen0648: This pull request references Jira Issue OCPBUGS-96722, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Add containerd to the explicit INSTALL_PKGS list in the Dockerfile so the image is rebuilt with the patched RPM that fixes CVE-2026-53488.
  • The containerd package is present in the network-tools-rhel9 image via the ocp/5.0:tools base image but was not previously pinned explicitly. Listing it here ensures yum installs the latest available version (>= 1.7.33 / 2.x fixed releases) at build time.
  • The vulnerability allows host-root command execution via unvalidated image config labels in the CRI plugin.

Resolves: OCPBUGS-96722

Test plan

  • Verify image builds successfully with containerd installed at a fixed version (>= 1.7.33 or >= 2.0.10/2.1.9/2.2.5/2.3.2)
  • Confirm CVE scan on the rebuilt image no longer flags CVE-2026-53488

Made with Cursor

Summary by CodeRabbit

  • Chores
  • Updated the container build environment to include the containerd package.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
openshift-ci Bot requested review from marty-power and taanyas July 14, 2026 18:54
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jechen0648
Once this PR has been reviewed and has the lgtm label, please assign arghosh93 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@jechen0648: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images eb9abec link true /test images
ci/prow/okd-scos-images eb9abec link true /test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants