CVE-2026-46680: containerd user ID handling bypass allows runAsNonRoot evasion

May 21, 2026

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

References

github.com/advisories/GHSA-fqw6-gf59-qr4w
github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
nvd.nist.gov/vuln/detail/CVE-2026-46680

Code Behaviors & Features

Detect and mitigate CVE-2026-46680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →