Describe the bug
After upgrading EKS nodes to AMI v20260403 (and subsequently v20260415), containerd fails to start containers with the following error:
failed to create containerd container: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount2113257072: openat etc/passwd: path escapes from parent
Rolling back to the previous AMI resolves the issue. The regression is caused by a missing backport of upstream fix containerd/containerd#12732, which corrects false positives in the symlink path validation introduced by containerd/containerd#12683. The fix was merged to the upstream release/2.2 branch on March 11th 2026, but is not present in either affected package release.
To Reproduce
Steps to reproduce the behavior:
- Launch an EKS node using AMI v20260403 or v20260415
- Attempt to start any container whose image has a symlink in the path to /etc/passwd
- Observe the path escapes from parent error in the containerd logs
Expected behavior
Containers that started successfully on previous AMI versions should continue to start. The fix from containerd/containerd#12732 should be backported to the Amazon Linux 2023 containerd package.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
Smartphone (please complete the following information):
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
Additional context
We confirmed the missing patch by inspecting the source RPMs from both affected AMI releases:
# containerd-2.2.1-1.amzn2023.0.1 (AMI v20260403)
Patch1000: 1000-containerd-2.0-iouring-seccomp.patch
Patch1001: 1001-containerd-2.0-systemd-compat-config.patch
Patch1002: 1002-containerd-2.0-remove-failing-image-verifier-test.patch
# containerd-2.2.1-1.amzn2023.0.2 (AMI v20260415)
Patch1000: 1000-containerd-2.0-iouring-seccomp.patch
Patch1001: 1001-containerd-2.0-systemd-compat-config.patch
Patch1002: 1002-containerd-2.0-remove-failing-image-verifier-test.patch
Patch1003: 1003-bump-google.golang.org-grpc-to-v1.79.3.patch
Patch1004: 1004-fix-whiteouts-parallel-unpack.patch
A grep across all patch files for followSymlinkInScope, path.*escape, and symlink.*scope returns no results in either release. The fix is absent from both.
Affected packages:
- containerd-2.2.1-1.amzn2023.0.1
- containerd-2.2.1-1.amzn2023.0.2
Upstream references:
Issue: containerd/containerd#12683
Fix: containerd/containerd#12732
Describe the bug
After upgrading EKS nodes to AMI v20260403 (and subsequently v20260415), containerd fails to start containers with the following error:
Rolling back to the previous AMI resolves the issue. The regression is caused by a missing backport of upstream fix containerd/containerd#12732, which corrects false positives in the symlink path validation introduced by containerd/containerd#12683. The fix was merged to the upstream release/2.2 branch on March 11th 2026, but is not present in either affected package release.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Containers that started successfully on previous AMI versions should continue to start. The fix from containerd/containerd#12732 should be backported to the Amazon Linux 2023 containerd package.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
We confirmed the missing patch by inspecting the source RPMs from both affected AMI releases:
A grep across all patch files for followSymlinkInScope, path.*escape, and symlink.*scope returns no results in either release. The fix is absent from both.
Affected packages:
Upstream references:
Issue: containerd/containerd#12683
Fix: containerd/containerd#12732