chore(deps): update module github.com/containerd/containerd/v2 to v2.3.1 [security]

[ocmbot]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/containerd/containerd/v2	indirect	patch	v2.3.0 → v2.3.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

containerd user ID handling bypass allows runAsNonRoot evasion

CVE-2026-46680 / GHSA-fqw6-gf59-qr4w

More information

Details

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
• https://github.com/advisories/GHSA-fqw6-gf59-qr4w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd/v2)

v2.3.1: containerd 2.3.1

Compare Source

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Security Updates

• CVE-2026-46680

Highlights

• Fix bug where failed gRPC plugins were not tolerated when starting listeners (#​13390)

Image Storage

• Ensure metadata and mount plugin boltdb files are closed on server shutdown (#​13379)

Runtime

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#​13447)
• Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (#​13422)
• Apply hardening to default seccomp socket policy by blocking AF_ALG (#​13409)

Snapshotters

• Disable overlayfs "rebase" capability when running in user namespace (#​13394)
• Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#​13364)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akihiro Suda
• Derek McGowan
• Paweł Gronowski
• Brian Goff
• Austin Vazquez
• LEI WANG
• Samuel Karp

Changes

24 commits

• Prepare release notes for v2.3.1 (#​13405)
  • 58af96519 Prepare release notes for v2.3.1
  • 8f0b3ca83 Update api to v1.11.1
• oci: return explicit error for out-of-range USER values (#​13447)
  • a05ae7885 oci: return explicit error for out-of-range USER values
• Prepare release notes for api/v1.11.1 (#​13444)
  • da7aef299 Prepare release notes for api/v1.11.1
• Fix sandbox task API endpoints for non-runc runtimes (#​13422)
  • 5282d4e09 Wire task address and version fields
  • e44f5f9ec protos: include task API address to CreateTaskRequest
• seccomp: Block AF_ALG in default socket policy (#​13409)
  • 4d80a31bf seccomp: Block AF_ALG in default socket policy
  • 2ed0d97b6 seccomp: Document socket rule scope and socketcall limitation
• server: tolerate failed gRPC plugins when starting listeners (#​13390)
  • 3a88fdde0 server: tolerate failed gRPC plugins when starting listeners
• overlay: disable "rebase" capability when running in UserNS (#​13394)
  • 2be0710b8 overlay: disable "rebase" capability when running in UserNS
• Update Go to 1.26.3 (#​13374)
  • 3b199c22b Update Go to 1.26.3
• fix: close boltdb on metadata and mount plugin close (#​13379)
  • 1d601271a fix: close boltdb on metadata and mount plugin close
• Fix optional EROFS differ setup in transfer plugin (#​13364)
  • d666d2e42 Refactor transfer unpack configuration setup
  • ccc3bd7b9 Fix optional transfer differ setup

Dependency Changes

• github.com/containerd/containerd/api v1.11.0 -> v1.11.1

Previous release can be found at v2.3.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	8e40d7b
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a10369bfce5b8000817320c
😎 Deploy Preview	https://deploy-preview-2606--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.