CVE-2026-50195
Published: 01 July 2026
Summary
CVE-2026-50195 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Linuxfoundation Containerd. Its CVSS base score is 5.6 (Medium).
Operationally, ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions…
more
to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.
Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (3 rules)
- V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-345
- V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-345
- V-248635 Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory. via CWE-829
Oracle Linux 9 (2 rules)
- V-271525 OL 9 must have GPG signature verification enabled for all software repositories. via CWE-345
- V-271847 OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory. via CWE-829
RHEL 7 (3 rules)
- V-204447 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-345
- V-204448 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-345
- V-204477 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory. via CWE-829
RHEL 8 (3 rules)
- V-230264 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-345
- V-230265 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-345
- V-230317 Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. via CWE-829
RHEL 9 (2 rules)
- V-257822 RHEL 9 must have GPG signature verification enabled for all software repositories. via CWE-345
- V-258050 Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory. via CWE-829
Windows 10 (1 rule)
- V-220737 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. via CWE-829