ALAS2DOCKER-2026-133

References: CVE-2026-47262  CVE-2026-50195  CVE-2026-53488  CVE-2026-53489  CVE-2026-53492 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Memory exhaustion DoS causing OOM kill of containerd process

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq (CVE-2026-47262)

Image cache poisoning via unvalidated checkpoint image references, enabling cross-pod code execution

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574 (CVE-2026-50195)

Arbitrary host command execution through unvalidated image config labels propagated to containers

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp (CVE-2026-53488)

Arbitrary file read on host via symlinked container log paths during checkpoint restore

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388 (CVE-2026-53489)

Device and host mount injection via CDI annotations in checkpoint metadata (requires CDI enabled on node)

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc (CVE-2026-53492)

Issue Correction:
Run yum update containerd or yum update --advisory ALAS2DOCKER-2026-133 to update your system.

New Packages:

aarch64:
    containerd-2.1.7-1.amzn2.0.5.aarch64
    containerd-stress-2.1.7-1.amzn2.0.5.aarch64
    containerd-debuginfo-2.1.7-1.amzn2.0.5.aarch64

src:
    containerd-2.1.7-1.amzn2.0.5.src

x86_64:
    containerd-2.1.7-1.amzn2.0.5.x86_64
    containerd-stress-2.1.7-1.amzn2.0.5.x86_64
    containerd-debuginfo-2.1.7-1.amzn2.0.5.x86_64

Changelog:

2026-06-24: CVE-2026-50195 was added to this advisory.

2026-06-24: CVE-2026-53488 was added to this advisory.

2026-06-24: CVE-2026-53492 was added to this advisory.

2026-06-24: CVE-2026-47262 was added to this advisory.

2026-06-24: CVE-2026-53489 was added to this advisory.