CVE-2024-21626

CVE-2024-21626 affects runc prior to 1.1.12, with a file descriptor leak enabling container escapes from containerized processes (e.g., runc exec/run) and potential host filesystem access. The CVE description specifies attacks that could overwrite host binaries and escape to the host filesystem. ...

CVE-2022-24769

CVE-2022-24769 affects Moby (Docker Engine) before 20.10.14. The bug starts containers with non-empty inheritable Linux process capabilities, enabling programs with inheritable file capabilities to elevate to the container’s permitted set during execve, potentially impacting containers using Linu...

CVE-2023-27561

CVE-2023-27561 affects runc; a race condition in volume mounts between two containers with shared mounts can enable an escalation of privileges via libcontainer/rootfs_linux.go. The issue is a regression of CVE-2019-19921 and requires two containers with custom volume-mount configurations and cus...

CVE-2022-29162

CVE-2022-29162 affects runc prior to version 1.1.2, where runc exec --cap could create processes with inheritable Linux capabilities, enabling elevation of capabilities to the permitted set during execve. The issue does not affect the container sandbox since the inheritable set is bounded by the ...

CVE-2023-25809

CVE-2023-25809 affects runc (rootless and certain host configurations) where rootless runc can make /sys/fs/cgroup writable under two conditions: 1) inside a user namespace without unsharing cgroup namespace (e.g., docker/podman/nerdctl run --cgroupns=host), or 2) outside the user namespace with ...

CVE-2023-28642

Summary (concrete details): The CVE-2023-28642 issue affects the container runtime components, notably the runC tool. The root cause is an AppArmor bypass when a container’s /proc is symlinked under a specific mount configuration, enabling an attacker with local access to bypass confinement. The ...

CVE-2024-45310

CVE-2024-45310 affects runc 1.1.13 and earlier and 1.2.0-rc2 and earlier, where sharing a volume between two containers can trigger a race with os.MkdirAll to create empty files or directories in arbitrary host paths. An attacker must be able to start containers with a custom volume configuration...

CVE-2021-43784

CVE-2021-43784 affects runc prior to 1.0.3, where a 16‑bit length field overflow in netlink bytemsg allowed an attacker who can influence container configuration to have the parsed payload override netlink-based container configuration and disable namespaces. Impact: potential namespace bypass by...

CVE-2025-31133

CVE-2025-31133 (runc) affects the runc runtime when using certain bind-mount sources, where verification of the source inode for "/dev/null" could be bypassed. Affected versions include 1.2.7 and earlier, 1.3.0-rc.1 through 1.3.1, and 1.4.0-rc.1 and 1.4.0-rc.2. The issue enables an attacker to pe...

CVE-2025-52881

CVE-2025-52881 affects runc (versions 1.2.7, 1.3.2, 1.4.0-rc.2). The issue lets an attacker redirect writes to /proc to other procfs files via a racing container with shared mounts (verified in Dockerfile-based parallel builds). This can enable container escape with high impact. Fixed in 1.2.8, 1...