Release notes for containerd - Container Service for Kubernetes

containerd is an industry-standard container runtime that manages the entire lifecycle of containers on a host. It provides a simple and stable runtime for your containers. This topic describes the release notes for containerd.

Usage notes

For more information about the comparison between containerd and other runtimes, see Comparison among Docker, containerd, and Sandboxed-Container.
For more information about the feature updates and deprecations in containerd 2.1, see Introduction to containerd 2.1.

July 2025

Version

Change Time

Description

Impact

2.1.3

2025-07-07

Fixed an issue where image shard pulling fails when the server does not return Content Length. For more information, see #12003.
Optimized platform compatibility for Transfer Service and fixed potential issues with local image imports and Registry error handling. For more information, see #11999, #12000, #11979.
Fixed an issue where the fetch operation adds a range field to requests regardless of whether it is needed. For more information, see #12001.
Improved error messages for fetcher to include complete Registry error responses for easier troubleshooting. For more information, see #11997.

No impact on workloads.

May 2025

Version	Change Time	Description	Impact
2.1.1	2025-05-27	New features: The Node Resource Interface (NRI) feature is supported. This feature is enabled by default. The Container Device Interface (CDI) feature is supported. This feature is enabled by default. The Sandbox API is supported. Deprecated features and APIs: The following parameters are deprecated: registry.auths, registry.configs, and registry.mirrors. For more information about how to customize the containerd parameters in the Container Service for Kubernetes (ACK) console, see Customize the containerd parameters of a node pool. Docker images of the Schema 1 format, such as `application/vnd.docker.distribution.manifest.v1+json` and `application/vnd.docker.distribution.manifest.v1+prettyjws`, are no longer supported. Requests for pulling such images will be rejected. For more information about how to identify Docker images of the Schema 1 format, see Identify Docker images of the Schema 1 format. The `io_uring_` system call (syscall) is removed from the default seccomp profile of containerd. By default, containers cannot make the `io_uring_` syscall. The CRI v1alpha2 API is deprecated. CRI v1alpha2 API has been deprecated since Kubernetes 1.26.	No impact on workloads.

March 2025

Version	Release date	Description	Impact
1.6.37	2025-03-03	Go is upgraded to V1.22.10. runC is upgraded to V1.2.5. Teletypewriter (TTY) leaks caused by specifying the tty and stdin container startup parameters are fixed. The leaks may further lead to container startup failures. For more information, see #11160. Image pull failures that may occur when garbage collection (GC) and image pulls are performed at the same time are fixed. For more information, see #3787.	No impact on workloads.
1.6.38	2025-03-31	Go is upgraded to V1.23.7. Vulnerability CVE-2024-40635 is fixed.	No impact on workloads.

November 2024

Version	Modification Time	Description	Impact
1.6.36	2024-11-08	Go is upgraded to V1.22.7. runC is upgraded to V1.1.14. The issue that containers occasionally fail to stop is fixed. For more information, see #10651.	No impact on workloads.

September 2024

Version	Release date	Description	Impact
1.6.34	2024-09-09	Go is upgraded to V1.21.12. runC is upgraded to V1.1.13. The `drain_exec_sync_io_timeout` parameter is added. For more information, see #9768.	No impact on workloads.

February 2024

Version	Change Time	Description	Impact
1.6.28	2024-02-04	Vulnerability CVE-2024-21626 is fixed. runC is upgraded to V1.1.12 (GHSA-xr7r-f8xq-vfvv).	No impact on workloads.

January 2024

Version	Change Time	Description	Impact
1.6.21	2024-01-31	runC is upgraded to V1.1.7. Vulnerability CVE-2024-21626 is fixed.	No impact on workloads.

May 2023

Version	Release date	Description	Impact
1.6.20	2023-05-17	containerd is upgraded to the latest minor version of the first long-term stable (LTS) version. For more information, see Release Notes. Go is upgraded to V1.18.8. The following vulnerabilities are fixed: CVE-2022-41717 CVE-2022-41720 CVE-2022-41716 CVE-2022-27191 Custom registries are supported. By default, you can specify registry hosts by creating a directory under cert.d. runC is upgraded to V1.1.5.	No impact on workloads.

September 2022

Version	Modification Time	Description	Impact
1.5.13	2022-09-08	The following vulnerabilities are fixed: CVE-2022-24769 CVE-2022-31030 The issue that file descriptors are leaked when you delete cgroups is fixed. The MaxConcurrentDownloads parameter must be effective when you unpack a container. A temp mount specified in a Dockerfile is set to read-only in the container.	No impact on workloads.

March 2022

Version	Release date	Description	Impact
1.5.10	2022-03-22	The following vulnerabilities are fixed: CVE-2022-23648 CVE-2021-43816 CVE-2021-41190 runC is upgraded to V1.0.3. The issue that a node enters the NotReady state when a process ID (PID) is leaked and the runC pipe is blocked is fixed.	No impact on workloads.

August 2021

Version	Change Time	Description	Impact
1.4.8	2021-08-03	The following issue is fixed: Sandbox creation times out due to system overloading, which further causes an IP leak. Vulnerability CVE-2021-32760 is fixed.	No impact on workloads.

June 2021

Version	Modification Time	Description	Impact
1.4.6	2021-06-03	Vulnerability CVE-2021-30465 is fixed.	No impact on workloads.

March 2021

Version	Release date	Description	Impact
1.4.4	2021-03-16	containerd can be selected as the container runtime when you create a cluster. Note The containerd runtime is in public preview.	No impact on workloads.