CVE-2016-9962 — Race Condition in Opencontainers Runc

CWE-362 — Race Condition CWE-271 — Privilege Dropping / Lowering Errors CWE-363 — Race Condition Enabling Link Following CWE-61 — UNIX Symbolic Link (Symlink) Following CWE-200 — Sensitive Information Exposure CWE-273 — Improper Check for Dropped Privileges23 documents9 sources

Severity

8.8HIGHNVD

NVD6.4GHSA7.0OSV7.0OSV6.4

EPSS

0.1%

top 67.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linuxfoundation Runc Github.com Opencontainers Runc Github.com Opencontainers Selinux +4 more

Timeline

PublishedJan 31

Latest updateNov 5

Description

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages8 packages

▶Gogithub.com/opencontainers_runc1.3.0-rc.1 — 1.3.3+3

▶Gogithub.com/opencontainers_selinux< 1.13.0

▶debiandebian/runc< docker.io 1.13.1~ds1-2 (bookworm)

▶Debianlinuxfoundation/runc< 0.1.1+dfsg1-2+3

▶NVDdocker/docker1.11.0 — 1.12.6+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects↗2025-11-05

▶

OSV

runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects↗2025-11-05

▶

OSV

Information Exposure in RunC in github.com/opencontainers/runc↗2024-08-21

▶

GHSA

GHSA-26mh-fmrh-48w9: The docker packages version docker-1↗2022-05-24

▶

OSV

Information Exposure in RunC↗2021-12-20

▶

📋Vendor Advisories

Red Hat

docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc↗2020-06-23

▶

Debian

CVE-2020-14300: docker.io - The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red...↗2020

▶

Red Hat

docker: insecure opening of file-descriptor allows privilege escalation↗2017-01-11

▶

Debian

CVE-2016-9962: docker.io - RunC allowed additional container processes via 'runc exec' to be ptraced by the...↗2016

▶

🕵️Threat Intelligence

Unit42

Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care↗2019-08-28

▶

Unit42

Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care↗2019-08-28

▶

Unit42

Making Containers More Isolated: An Overview of Sandboxed Container Technologies↗2019-06-06

▶

Unit42

Making Containers More Isolated: An Overview of Sandboxed Container Technologies↗2019-06-06

▶

Unit42

Breaking out of Docker via runC – Explaining CVE-2019-5736↗2019-02-21

▶

📄Research Papers

arXiv

Threat Modeling and Security Analysis of Containers: A Survey↗2021-11-22

▶

💬Community

Bugzilla

CVE-2020-14300 docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc↗2020-06-19

▶

Bugzilla

CVE-2016-9962 runc: docker: insecure opening of file-descriptor allows privilege escalation [fedora-all]↗2017-01-11

▶

Bugzilla

CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation↗2017-01-02

▶