CVE-2016-9962
published 2017-01-31CVE-2016-9962: RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if…
PriorityP427medium6.4CVSS 3.0
AVLACHPRHUINSUCHIHAH
EPSS
0.38%
29.9th percentile
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 1.13.1~ds1-2 (bookworm) | docker.io 1.13.1~ds1-2 (bookworm) |
| debian | docker.io | — | — |
| debian | runc | < docker.io 1.13.1~ds1-2 (bookworm) | docker.io 1.13.1~ds1-2 (bookworm) |
| docker | docker | — | — |
| docker | docker | — | — |
| docker | docker | >= 1.11.0 < 1.12.6 | 1.12.6 |
| github.com | opencontainers_runc | >= 0 < 1.2.8 | 1.2.8 |
| github.com | opencontainers_runc | >= 0 < 1.0.0-rc3 | 1.0.0-rc3 |
| github.com | opencontainers_runc | >= 1.3.0-rc.1 < 1.3.3 | 1.3.3 |
| github.com | opencontainers_runc | >= 1.4.0-rc.1 < 1.4.0-rc.3 | 1.4.0-rc.3 |
| github.com | opencontainers_selinux | >= 0 < 1.13.0 | 1.13.0 |
| linuxfoundation | runc | >= 0 < 0.1.1+dfsg1-2 | 0.1.1+dfsg1-2 |
| linuxfoundation | runc | >= 0 < 0.1.1+dfsg1-2 | 0.1.1+dfsg1-2 |
| linuxfoundation | runc | >= 0 < 0.1.1+dfsg1-2 | 0.1.1+dfsg1-2 |
| linuxfoundation | runc | >= 0 < 0.1.1+dfsg1-2 | 0.1.1+dfsg1-2 |
| redhat | enterprise_linux_server | — | — |
CVSS provenance
nvdv3.06.4MEDIUMCVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
ghsa7.0HIGH
osv7.0HIGH
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
vendor_redhat·2020-06-23·CVSS 6.4
CVE-2020-14300 [MEDIUM] CWE-271 docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compro
Debian
CVE-2020-14300: docker.io - The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red...
vendor_debian·2020·CVSS 6.4
CVE-2020-14300 [MEDIUM] CVE-2020-14300: docker.io - The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red...
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of
Red Hat
docker: insecure opening of file-descriptor allows privilege escalation
vendor_redhat·2017-01-11·CVSS 6.4
CVE-2016-9962 [MEDIUM] docker: insecure opening of file-descriptor allows privilege escalation
docker: insecure opening of file-descriptor allows privilege escalation
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
The runc component used by `docker exec` feature of docker allowed additional container processes to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process
Debian
CVE-2016-9962: docker.io - RunC allowed additional container processes via 'runc exec' to be ptraced by the...
vendor_debian·2016·CVSS 6.4
CVE-2016-9962 [MEDIUM] CVE-2016-9962: docker.io - RunC allowed additional container processes via 'runc exec' to be ptraced by the...
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Scope: local
bookworm: resolved (fixed in 1.13.1~ds1-2)
bullseye: resolved (fixed in 1.13.1~ds1-2)
forky: resolved (fixed in 1.13.1~ds1-2)
sid: resolved (fixed in 1.13.1~ds1-2)
trixie: resolved (fixed in 1.13.1~ds1-2)
GHSA
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
ghsa·2025-11-05·CVSS 7.0
CVE-2025-52881 [HIGH] CWE-363 runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.
Rather than using a fake `tmpfs` file for `/proc/self/attr/`, an attacker could instead (through various means) make `/proc/self/attr/` reference a real `procfs` file, but one that would still be a no-op (such a
OSV
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
osv·2025-11-05·CVSS 7.0
CVE-2025-52881 [HIGH] runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.
Rather than using a fake `tmpfs` file for `/proc/self/attr/`, an attacker could instead (through various means) make `/proc/self/attr/` reference a real `procfs` file, but one that would still be a no-op (such a
OSV
Information Exposure in RunC in github.com/opencontainers/runc
osv·2024-08-21
CVE-2016-9962 Information Exposure in RunC in github.com/opencontainers/runc
Information Exposure in RunC in github.com/opencontainers/runc
Information Exposure in RunC in github.com/opencontainers/runc
GHSA
GHSA-26mh-fmrh-48w9: The docker packages version docker-1
ghsa_unreviewed·2022-05-24·CVSS 6.4
CVE-2020-14300 [MEDIUM] CWE-273 GHSA-26mh-fmrh-48w9: The docker packages version docker-1
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of
OSV
Information Exposure in RunC
osv·2021-12-20
CVE-2016-9962 [MEDIUM] Information Exposure in RunC
Information Exposure in RunC
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
GHSA
Information Exposure in RunC
ghsa·2021-12-20
CVE-2016-9962 [MEDIUM] CWE-200 Information Exposure in RunC
Information Exposure in RunC
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
OSV
CVE-2016-9962: RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container
osv·2017-01-31·CVSS 6.4
CVE-2016-9962 [MEDIUM] CVE-2016-9962: RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
No detection rules found.
No public exploits indexed.
Unit42
Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
blogs_unit42·2019-08-28·CVSS 4.9
CVE-2019-11245 [MEDIUM] Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Ariel Zelivansky
Published: August 28, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2019-11245
Kubernetes
On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container.
Before elaborating on this particular security issue, let’s first clarify why running a program as root in a container is even a concern at all.
## Non-root containers
When run
Unit42
Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
blogs_unit42·2019-08-28·CVSS 4.9
CVE-2019-11245 [MEDIUM] Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container.
Before elaborating on this particular security issue, let’s first clarify why running a program as root in a container is even a concern at all.
## Non-root containers
When running applications on a non-containerized Linux environment, e.g. on the host machine, it is commonly understood why isolation between the root user and non-privileged users is desired. If run as root, any breached or misbehaving application could easily wreak havoc on the system, by modifying system
Unit42
Making Containers More Isolated: An Overview of Sandboxed Container Technologies
blogs_unit42·2019-06-06
Making Containers More Isolated: An Overview of Sandboxed Container Technologies
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Making Containers More Isolated: An Overview of Sandboxed Container Technologies
Jay Chen
Published: June 6, 2019
Cloud Cybersecurity Research
Learning Hub
Threat Research
Containers
Docker
Kubernetes
LXC
Public cloud
Rkt
Executive Summary
While the majority of the IT industry is in the midst of adopting container-based infrastructure (cloud-native solution), it is imperative to understand the technology’s limitations. Traditional containers such as Docker, Linux Containers (LXC), and Rocket (rkt) are not truly sandboxed as they share the host OS kernel. They are resource-efficient, but the attack surface and the potential impact of a breach are still large, especially in a multi-tenant cloud environme
Unit42
Making Containers More Isolated: An Overview of Sandboxed Container Technologies
blogs_unit42·2019-06-06
Making Containers More Isolated: An Overview of Sandboxed Container Technologies
Executive Summary
While the majority of the IT industry is in the midst of adopting container-based infrastructure (cloud-native solution), it is imperative to understand the technology’s limitations. Traditional containers such as Docker, Linux Containers (LXC), and Rocket (rkt) are not truly sandboxed as they share the host OS kernel. They are resource-efficient, but the attack surface and the potential impact of a breach are still large, especially in a multi-tenant cloud environment that co-locate containers belonging to different customers. The root of the problem is the weak separation between containers when the host OS creates a virtualized userland for each container. There has been research and development focusing on designing truly sandboxed containers. Most of the solutions r
Unit42
Breaking out of Docker via runC – Explaining CVE-2019-5736
blogs_unit42·2019-02-21·CVSS 8.6
CVE-2019-5736 [HIGH] Breaking out of Docker via runC – Explaining CVE-2019-5736
Last week (2019-02-11) a new vulnerability in runC was reported by its maintainers, originally found by Adam Iwaniuk and Borys Poplawski. Dubbed CVE-2019-5736, it affects Docker containers running in default settings and can be used by an attacker to gain root-level access on the host.
Aleksa Sarai, one of runC’s maintainers, found that the same fundamental flaw exists in LXC. As opposed to Docker though, only privileged LXC containers are vulnerable. Both runC and LXC were patched and new versions were released.
The vulnerability gained a lot of traction and numerous technology sites and commercial companies addressed it in dedicated posts. Here at Twistlock, our CTO John Morello wrote an excellent piece with all the relevant details and the mitigations offered by the Twistlock platform
Unit42
Breaking out of Docker via runC – Explaining CVE-2019-5736
blogs_unit42·2019-02-21·CVSS 8.6
CVE-2019-5736 [HIGH] Breaking out of Docker via runC – Explaining CVE-2019-5736
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Breaking out of Docker via runC – Explaining CVE-2019-5736
Yuval Avrahami
Published: February 21, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container breakout
Container escape
Containers
CVE-2019-5736
Docker
Exploit
RunC
Last week (2019-02-11) a new vulnerability in runC was reported by its maintainers, originally found by Adam Iwaniuk and Borys Poplawski. Dubbed CVE-2019-5736, it affects Docker containers running in default settings and can be used by an attacker to gain root-level access on the host.
Aleksa Sarai, one of runC’s maintainers, found that the same fundamental flaw exists in LXC. As opposed to Docker though, only privileged LXC containers are vulnerable. Both runC
arXiv
Threat Modeling and Security Analysis of Containers: A Survey
arxiv_fulltext·2021-11-22
Threat Modeling and Security Analysis of Containers: A Survey
Threat Modeling and Security Analysis of Containers: A Survey
Ann Yi Wong1 Eyasu Getahun Chekole1 Mart\'in Ochoa2 Jianying Zhou1
Singapore University of Technology and Design, Singapore 487372, Singapore
[email protected], \eyasu_chekole, jianying_zhou\@sutd.edu.sg
Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland
[email protected]
## Abstract
Traditionally, applications that are used in large and small enterprises were deployed on ``bare metal'' servers installed with operating systems. Recently, the use of multiple virtual machines (VMs) on the same physical server was adopted due to cost reduction and flexibility. Nowadays, containers have become popular for application deployment due to smaller footprints than the VMs, their ability to start
Bugzilla
CVE-2020-14300 docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
bugzilla·2020-06-19·CVSS 6.4
CVE-2020-14300 [MEDIUM] CVE-2020-14300 docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
CVE-2020-14300 docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat.
The original issue - CVE-2016-9962 - could possibly allow a process inside con
Bugzilla
CVE-2016-9962 runc: docker: insecure opening of file-descriptor allows privilege escalation [fedora-all]
bugzilla·2017-01-11·CVSS 6.4
CVE-2016-9962 [MEDIUM] CVE-2016-9962 runc: docker: insecure opening of file-descriptor allows privilege escalation [fedora-all]
CVE-2016-9962 runc: docker: insecure opening of file-descriptor allows privilege escalation [fedora-all]
runc-1.0.0-3.rc2.gitc91b5be.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0200646669
Discussion:
runc-1.0.0-3.rc2.gitc91b5be.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-19b0fe001d
---
runc-1.0.0-3.rc2.gitc91b5be.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-19b0fe001d
---
runc-1.0.0-3.rc
Bugzilla
CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation
bugzilla·2017-01-02·CVSS 6.4
CVE-2016-9962 [MEDIUM] CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation
CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation
The following issue was reported in Docker:
RunC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Discussion:
Acknowledgments:
Name: the Docker project
Upstream: Aleksa Sarai (SUSE), Tõnis Tiigi (Docker)
---
Created attachment 1236624
CVE-2016-9962 patch
---
This is an extremely difficult to exploit flaw on standard RHEL and Fedora systems.
I checked the 1.10.3 and 1.12.5 buil
http://rhn.redhat.com/errata/RHSA-2017-0116.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0123.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0127.htmlhttp://seclists.org/fulldisclosure/2017/Jan/21http://seclists.org/fulldisclosure/2017/Jan/29http://www.securityfocus.com/archive/1/540001/100/0/threadedhttp://www.securityfocus.com/bid/95361https://access.redhat.com/security/vulnerabilities/cve-2016-9962https://bugzilla.suse.com/show_bug.cgi?id=1012568#c6https://github.com/docker/docker/releases/tag/v1.12.6https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAXJMMLRU7DD2IMG47SR2K4BOFFG7FZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FINGBFMIXBG6B6ZWYH3TMRP5V3PDBNXR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVM7FCOQMPKOFLDTUYSS4ES76DDM56VP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WUQ3MQNEL5IBZZLMLR72Q4YDCL2SCKRK/https://security.gentoo.org/glsa/201701-34http://rhn.redhat.com/errata/RHSA-2017-0116.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0123.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0127.htmlhttp://seclists.org/fulldisclosure/2017/Jan/21http://seclists.org/fulldisclosure/2017/Jan/29http://www.securityfocus.com/archive/1/540001/100/0/threadedhttp://www.securityfocus.com/bid/95361https://access.redhat.com/security/vulnerabilities/cve-2016-9962https://bugzilla.suse.com/show_bug.cgi?id=1012568#c6https://github.com/docker/docker/releases/tag/v1.12.6https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAXJMMLRU7DD2IMG47SR2K4BOFFG7FZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FINGBFMIXBG6B6ZWYH3TMRP5V3PDBNXR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVM7FCOQMPKOFLDTUYSS4ES76DDM56VP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WUQ3MQNEL5IBZZLMLR72Q4YDCL2SCKRK/https://security.gentoo.org/glsa/201701-34
2017-01-31
Published