containerd 0:2.0.0-14.azl3 requires security patch

[heoelri]

Describe the bug

Our internal detection logic reports that containerd2 requires a newer version.

Microsoft Azure Linux has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following Microsoft Azure Linux 3.0 security advisories:https://github.com/microsoft/azurelinux/tree/3.0 (https://github.com/microsoft/azurelinux/tree/3.0)

Microsoft Azure Linux 3.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft. Microsoft Azure Linux has released a security update for containerd2 to fix the vulnerabilities.

Package	Installed_Version	Required_Version
containerd2	0:2.0.0-14.azl3.x86__64	0:2.0.0-15.azl3

We're using the latest image version on our AKS nodes (using NAP):

/galleries/AKSAzureLinux/images/V3gen2/versions/202601.07.0

To Reproduce
n/a

Expected behavior
When an AKS node is running a current Azure Linux node image version, the containerd2 package should be at or above the required secure version (2.0.0-15.azl3), and the vulnerability should either be automatically remediated through the node image upgrade or reflected as Compliant / Not Applicable after the image rollout.

Screenshots
n/a

[eric-desrochers]

Could you please share the full CVE report or the CVE ID/Impacted binary/package that was reported?

The message currently only mentions the upstream release. Please note that it’s possible to remain on the upstream vulnerable range while backporting the proper CVE fix, without necessarily bumping the version.