CVE-2021-43784
published 2021-12-06CVE-2021-43784: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization…
PriorityP431medium5CVSS 3.1
AVNACHPRLUINSUCLILAL
EPSS
1.66%
73.8th percentile
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | runc | < runc 1.0.3+ds1-1 (bookworm) | runc 1.0.3+ds1-1 (bookworm) |
| github.com | opencontainers_runc | >= 0 < 1.0.3 | 1.0.3 |
| github.com | opencontainers_runc | >= 1.0.1-0.20211012131345-9c444070ec7b < 1.1.0 | 1.1.0 |
| linuxfoundation | runc | < 1.0.3 | 1.0.3 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5+deb11u4 | 1.0.0~rc93+ds1-5+deb11u4 |
| linuxfoundation | runc | >= 0 < 1.0.3+ds1-1 | 1.0.3+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.0.3+ds1-1 | 1.0.3+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.0.3+ds1-1 | 1.0.3+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4 | 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4 |
| msrc | cbl2_moby-runc_1.1.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_moby-runc_1.1.0+azure-2_on_cbl_mariner_1.0 | — | — |
| opencontainers | runc | < 1.0.3 | 1.0.3 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.0HIGH
vendor_ubuntu7.0HIGH
vendor_debian6.0MEDIUM
vendor_redhat6.0MEDIUM
vendor_msrc5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
runC vulnerabilities
vendor_ubuntu·2023-05-23·CVSS 7.0
CVE-2022-29162 [HIGH] runC vulnerabilities
Title: runC vulnerabilities
Summary: Several security issues were fixed in runC.
USN-6088-1 fixed vulnerabilities in runC. This update provides
the corresponding updates for Ubuntu 16.04 LTS.
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges.
(CVE-2019-19921)
Felix Wilhelm discovered that runC incorrecly handled netlink
messages. An attacker could possibly use
this issue to escalate privileges. (CVE-2021-43784)
Andrew G. Morgan discovered that runC incorrectly set
inherited process capabilities inside the container.
An attacker could possibly use this issue to
escalate privileges. (CVE-2022-29162)
Original advisory details:
It was discovered that runC incorrectly m
Microsoft
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
vendor_msrc·2021-12-14·CVSS 5.0
CVE-2021-43784 [MEDIUM] CWE-190 Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Re
Red Hat
runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
vendor_redhat·2021-12-06·CVSS 6.0
CVE-2021-43784 [MEDIUM] CWE-190 runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability
Debian
CVE-2021-43784: runc - runc is a CLI tool for spawning and running containers on Linux according to the...
vendor_debian·2021·CVSS 6.0
CVE-2021-43784 [MEDIUM] CVE-2021-43784: runc - runc is a CLI tool for spawning and running containers on Linux according to the...
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass
OSV
runc vulnerabilities
osv·2023-05-23·CVSS 7.0
CVE-2019-19921 [HIGH] runc vulnerabilities
runc vulnerabilities
USN-6088-1 fixed vulnerabilities in runC. This update provides
the corresponding updates for Ubuntu 16.04 LTS.
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges.
(CVE-2019-19921)
Felix Wilhelm discovered that runC incorrecly handled netlink
messages. An attacker could possibly use
this issue to escalate privileges. (CVE-2021-43784)
Andrew G. Morgan discovered that runC incorrectly set
inherited process capabilities inside the container.
An attacker could possibly use this issue to
escalate privileges. (CVE-2022-29162)
Original advisory details:
It was discovered that runC incorrectly made /sys/fs/cgroup
writable when in rootless mode. An attacke
OSV
Namespace restriction bypass in github.com/opencontainers/runc
osv·2022-07-15
CVE-2021-43784 Namespace restriction bypass in github.com/opencontainers/runc
Namespace restriction bypass in github.com/opencontainers/runc
An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.
GHSA
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
ghsa·2021-12-07
CVE-2021-43784 [MEDIUM] CWE-190 Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
### Impact
In runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.
This vulnerability requires the attacker to have some
OSV
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
osv·2021-12-07
CVE-2021-43784 [MEDIUM] Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
### Impact
In runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.
This vulnerability requires the attacker to have some
OSV
CVE-2021-43784: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
osv·2021-12-06·CVSS 5.0
CVE-2021-43784 [MEDIUM] CVE-2021-43784: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2241https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1aehttps://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eedhttps://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8fhttps://lists.debian.org/debian-lts-announce/2021/12/msg00005.htmlhttps://lists.debian.org/debian-lts-announce/2024/02/msg00005.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2241https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1aehttps://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eedhttps://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8fhttps://lists.debian.org/debian-lts-announce/2021/12/msg00005.htmlhttps://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
2021-12-06
Published