EUVD-2026-33727

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant...

Docker: Race condition in docker cp allows bind mount redirection to host path

Summary A race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. Details When copying files into a container, the daemon sets up a temporary filesystem vie...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during docker cp mount setup before subsequent mount syscall. An attacker can overwrite arbitrary files on the host or cause denial of service by exploiting a race condition where a symlink is create...

PT-2026-41767

Name of the Vulnerable Software and Affected Versions Docker affected versions not specified Description A race condition occurs during the mount setup of the docker cp command. When copying files into a container, the daemon creates a temporary filesystem view by bind-mounting volumes. A process...

CVE-2026-40923 Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

EUVD-2022-1238

Malicious code in bioql PyPI...

Important: runc

Issue Overview: A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The highest threat from this...

Linux Distros Unpatched Vulnerability : CVE-2017-1002101

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type...

RHEL 7 : kubernetes (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - kubernetes: Privilege escalation in the PodSecurityPolicy admission plugin CVE-2017-1000056 - In Kubernet...

runc: volume mount race condition (regression of CVE-2019-19921)

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume...

runc: volume mount race condition (regression of CVE-2019-19921)

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume...

runc: volume mount race condition (regression of CVE-2019-19921)

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume...

K000134748: Kubernetes vulnerabilities CVE-2019-1002100, CVE-2019-11254, CVE-2017-1002101, and CVE-2017-1002102

Security Advisory Description CVE-2019-1002100 In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type:...

CVE-2023-27561

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume...

SUSE CVE-2018-1002101

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection...

Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Kubernetes (CVE-2021-25741)

Summary Security Vulnerabilities affect IBM Cloud Private - Kubernetes Vulnerability Details CVEID: CVE-2021-25741 DESCRIPTION: Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted...

Kubernetes Arbitrary Command Injection

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. Specific Go Packages Affected k8s.io/kubernetes/pkg/util/mount...

GHSA-WQWF-X5CJ-RG56 Kubernetes Arbitrary Command Injection

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. Specific Go Packages Affected k8s.io/kubernetes/pkg/util/mount...

Arbitrary Command Injection

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection...

Files or Directories Accessible to External Parties in kubernetes

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem...