containerd
Safeguard articles tagged "containerd" — guides, analysis, and best practices for software supply chain and application security.
7 articles
Container Runtime Comparison: A 2026 Buyer's Guide
A practical container runtime comparison for 2026 buyers: containerd, CRI-O, gVisor, Kata, and Youki measured against real production workloads.
containerd-shim abstract Unix socket container escape (CVE-2020-15257)
CVE-2020-15257 let containers sharing a host network namespace abuse containerd-shim's abstract socket API. Here's the impact, fix, and remediation path.
containerd CRI plugin mount escape (CVE-2022-23648)
CVE-2022-23648 let crafted pod volume specs bypass containerd's CRI mount isolation to reach arbitrary host files — versions, severity, and fixes.
containerd-shim Abstract Unix Socket Exposure Enabling Co...
CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.
Container runtime security (containerd/CRI-O) vulnerability roundup
Container runtime CVEs like the runc Leaky Vessels flaw and CRI-O's cr8escape show how containerd and CRI-O bugs turn into full host takeovers.
CRI-O vs containerd: Security Comparison
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
containerd Security Configuration Guide
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.