CVE-2024-21626
published 2024-01-31CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file…
PriorityP182high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.09%
96.8th percentile
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | runc | < runc 1.1.5+ds1-1+deb12u1 (bookworm) | runc 1.1.5+ds1-1+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| github.com | opencontainers_runc | >= 1.0.0-rc93 < 1.1.12 | 1.1.12 |
| github.com | siderolabs_talos | >= 0 < 1.5.6 | 1.5.6 |
| github.com | siderolabs_talos | >= 1.6.0 < 1.6.4 | 1.6.4 |
| chrome_chrome | — | — | |
| linuxfoundation | runc | < 1.1.12 | 1.1.12 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5+deb11u3 | 1.0.0~rc93+ds1-5+deb11u3 |
| linuxfoundation | runc | >= 0 < 1.1.5+ds1-1+deb12u1 | 1.1.5+ds1-1+deb12u1 |
| linuxfoundation | runc | >= 0 < 1.1.12+ds1-1 | 1.1.12+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.1.12+ds1-1 | 1.1.12+ds1-1 |
| msrc | azure_kubernetes_service | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| opencontainers | runc | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | prisma_cloud | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malicious Dockerfile or container image using WORKDIR set to a procfs path such as /proc/self/fd/<fd_number>, which is the primary exploit primitive for CVE-2024-21626. ↗
- →Monitor for container processes whose working directory resolves to a path inside the host filesystem namespace (e.g., /proc/self/fd pointing outside the container rootfs), indicating a successful container escape via the internal file descriptor leak. ↗
- →Alert on runc exec invocations where the spawned container process working directory traverses up from /proc/self/fd to reach host filesystem paths (e.g., ../../../../etc/shadow). ↗
- →Flag any container image or Dockerfile specifying a WORKDIR value referencing /proc/self/fd/ as this is the attack vector for both 'attack 1' (runc run) and 'attack 2' (runc exec) variants. ↗
- →Identify vulnerable runc versions 1.1.11 and earlier; patch to runc 1.1.12 or higher. Also check Docker versions below 25.0.2 / 4.27.1 and BuildKit below 0.12.5. ↗
- →Use runtime sensors to detect live exploitation attempts: watch for container processes accessing /sys/fs/cgroup or /proc/self/fd paths that resolve to host filesystem locations. ↗
- →Monitor for semi-arbitrary host binary overwrites as an indicator of 'attack 3a' and 'attack 3b' variants, which can lead to complete container escape. ↗
- ·The vulnerability is exploitable without public network exposure; it requires attacker control over the container image, Dockerfile/BuildKit frontend, or runc exec command-line arguments — not arbitrary code execution in a running container. ↗
- ·The vulnerability also affects higher-level runtimes such as Docker and Kubernetes when running specially crafted images or specifying malicious workdir options; it is not limited to direct runc usage. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
ghsa8.6HIGH
osv8.6HIGH
vulncheck8.6HIGH
vendor_debian8.6HIGH
vendor_msrc8.6HIGH
vendor_oracle8.6HIGH
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-21626
vendor_chrome·2024-05-13·CVSS 8.6
CVE-2024-21626 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2024-21626
Long Term Support Channel Update for ChromeOS
CVE-2024-21626
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (runc) — CVE-2024-21626
vendor_oracle·2024-04-15·CVSS 8.6
CVE-2024-21626 [HIGH] Oracle Oracle Communications Risk Matrix: Install/Upgrade (runc) — CVE-2024-21626
Oracle Oracle Communications Risk Matrix: Install/Upgrade (runc) vulnerability
CVE: CVE-2024-21626
CVSS: 8.6
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2024 (APR 2024)
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23652 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23653 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23651 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Microsoft
GitHub: CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds
vendor_msrc·2024-02-13·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-1104 GitHub: CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds
GitHub: CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2024-21626
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in runc which is consumed by Azure Kubernetes Service. The mitigation for this vulnerability requires a security update and a corresponding Azure Kubernetes Service update enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the Azure Kubernetes Service build published on January 31, 2024 is no longer vulnerable. Please see CVE-2024-21626 for more information.
GitHub: GitHub
Customer Action Required: Yes
Exploit Status: Publicly Disclosed:No;Exploited:No;DOS:N/A
Remediation: Release
Red Hat
runc: file descriptor leak
vendor_redhat·2024-01-31·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-200 runc: file descriptor leak
runc: file descriptor leak
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
A file descriptor lea
Ubuntu
runC vulnerability
vendor_ubuntu·2024-01-31
CVE-2024-21626 runC vulnerability
Title: runC vulnerability
Summary: runC could be made to expose sensitive information or allow to escape
contianers.
Rory McNamara discovered that runC did not properly manage internal file
descriptor while managing containers. An attacker could possibly use this
issue to obtain sensitive information or bypass container restrictions.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-21626: runc - runc is a CLI tool for spawning and running containers on Linux according to the...
vendor_debian·2024·CVSS 8.6
CVE-2024-21626 [HIGH] CVE-2024-21626: runc - runc is a CLI tool for spawning and running containers on Linux according to the...
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Scope: local
bookworm: resolved (fixed in 1.1.5+ds
VulDB
opencontainers runc up to 1.1.11 on Linux Internal File Descriptor file descriptor (GHSA-xr7r-f8xq-vfvv / EUVD-2024-0459)
vuldb·2026-06-25·CVSS 8.6
CVE-2024-21626 [HIGH] opencontainers runc up to 1.1.11 on Linux Internal File Descriptor file descriptor (GHSA-xr7r-f8xq-vfvv / EUVD-2024-0459)
A vulnerability was found in opencontainers runc up to 1.1.11 on Linux. It has been rated as critical. This impacts an unknown function of the component Internal File Descriptor Handler. Performing a manipulation results in exposure of file descriptor to unintended control sphere ('file descriptor leak').
This vulnerability is known as CVE-2024-21626. Attacking locally is a requirement. No exploit is available.
Upgrading the affected component is advised.
GHSA
ciguard: Container image runs as root (no USER directive)
ghsa·2026-05-05·CVSS 8.6
CVE-2026-44218 [HIGH] CWE-269 ciguard: Container image runs as root (no USER directive)
ciguard: Container image runs as root (no USER directive)
## Summary
The published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.
## Threat scenario
Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.
## Patch
- Dockerfile adds `RUN groupadd -r ciguard && us
OSV
Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc
osv·2024-06-28
CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc
Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc
Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc
OSV
Talos Linux ships runc vulnerable to the escape to the host attack
osv·2024-02-02·CVSS 8.6
[HIGH] Talos Linux ships runc vulnerable to the escape to the host attack
Talos Linux ships runc vulnerable to the escape to the host attack
### Impact
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
### Patches
`runc` runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.
### Workarounds
Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.
### References
* [CVE-2024-21626](https://github.com/opencontainers/runc/sec
GHSA
Talos Linux ships runc vulnerable to the escape to the host attack
ghsa·2024-02-02·CVSS 8.6
[HIGH] Talos Linux ships runc vulnerable to the escape to the host attack
Talos Linux ships runc vulnerable to the escape to the host attack
### Impact
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
### Patches
`runc` runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.
### Workarounds
Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.
### References
* [CVE-2024-21626](https://github.com/opencontainers/runc/sec
GHSA
runc vulnerable to container breakout through process.cwd trickery and leaked fds
ghsa·2024-01-31
CVE-2024-21626 [HIGH] CWE-403 runc vulnerable to container breakout through process.cwd trickery and leaked fds
runc vulnerable to container breakout through process.cwd trickery and leaked fds
### Impact
In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through `runc run` ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b").
Strictly speaking, while attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b
OSV
runc vulnerable to container breakout through process.cwd trickery and leaked fds
osv·2024-01-31
CVE-2024-21626 [HIGH] runc vulnerable to container breakout through process.cwd trickery and leaked fds
runc vulnerable to container breakout through process.cwd trickery and leaked fds
### Impact
In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through `runc run` ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b").
Strictly speaking, while attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b
OSV
CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
osv·2024-01-31·CVSS 8.6
CVE-2024-21626 [HIGH] CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
VulnCheck
linuxfoundation runc Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
vulncheck·2024·CVSS 8.6
CVE-2024-21626 [HIGH] linuxfoundation runc Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
linuxfoundation runc Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "atta
No detection rules found.
Hackernews
ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories
blogs_hackernews·2026-06-04·CVSS 8.6
CVE-2026-20230 [HIGH] ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories
It got stupid again.
The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper. And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems. Great.
Read the whole thing before it ruins your week anyway.
Cisco has released fixes to address a high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could allow an unauthe
Tenable
Comprehensive shift-left security | Tenable®
blogs_tenable·2026-03-10
Comprehensive shift-left security | Tenable®
Solution overview
## Get comprehensive shift-left security with Tenable One Cloud Exposure
Protect your organization by integrating security into automated DevOps workflows. Scan container images and registries across AWS , Azure , GCP , and OCI to identify and remediate vulnerabilities before they reach production. Tenable One Cloud Exposure gives you full-lifecycle container scanning powered by industry-leading threat intelligence and VPR scoring.
## Scan container images across their full lifecycle
Use the Tenable One Cloud Exposure container scanning engine across all stages of development: locally with Docker, integrated into CI/CD pipelines during build and test, in container registries, and in runtime. Shift security left by catching risks as early as possible while maintaining
Wiz
What is Container Escape: Detection & Prevention | Wiz
blogs_wiz·2025-11-06
What is Container Escape: Detection & Prevention | Wiz
## What is container escape?
Container escape is when an attacker breaks out of a container's isolation boundaries to gain unauthorized access to the host operating system or other containers running on the same system. This happens because containers share the host kernel, unlike virtual machines that provide hardware-level isolation.
When isolation mechanisms like namespaces and cgroups get compromised through vulnerabilities or misconfigurations, attackers can escalate privileges and move laterally through your environment. A successful container escape is one of the most severe threats in containerized environments because it can compromise your entire infrastructure.
###### Container Security Best Practices Cheat Sheet
Understanding container escape is just the first step. Get pra
Wiz
What is Container Escape: Detection & Prevention | Wiz
blogs_wiz·2025-11-06
What is Container Escape: Detection & Prevention | Wiz
## What is container escape?
Container escape is when an attacker breaks out of a container's isolation boundaries to gain unauthorized access to the host operating system or other containers running on the same system. This happens because containers share the host kernel, unlike virtual machines that provide hardware-level isolation.
When isolation mechanisms like namespaces and cgroups get compromised through vulnerabilities or misconfigurations, attackers can escalate privileges and move laterally through your environment. A successful container escape is one of the most severe threats in containerized environments because it can compromise your entire infrastructure.
## Container Security Best Practices Cheat Sheet
Understanding container escape is just the first step. Get practic
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
runAsNonRoot
readOnlyRootFilesystem
Here are some key advantages of leveraging Kubernetes security contexts:
## Enhanced security posture
Security contexts provide strict, runtime-level controls over containers and pods, including running processes as non-root users, restricting access to the root filesystem, and limiting Linux capabilities. These security measures limit privilege
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
By implementing security contexts, teams gain fine-grained controls at both the pod and container levels. This practice helps them mitigate common vulnerabilities and enforce least privilege policies via settings like `runAsNonRoot`, `readOnlyRootFilesystem`, and scoped Linux capabilities. It also strengthens cluster-level defenses by leveraging SELinux options and AppArmor profiles.
Tenable
Cloud security: The complete guide | Tenable®
blogs_tenable·2025-07-14
Cloud security: The complete guide | Tenable®
## Cloud security overview
Last updated | January 27, 2026 |
## Protect data and workloads across AWS, Azure and GCP
Your cloud attack surface is growing faster than you can manually manage, and traditional vulnerability management practices just don’t work for the cloud. This cloud security guide helps you take control. Learn how cloud security tools help you see all your cloud risks, understand what matters and act before risk becomes a breach.
## Table of contents
What is cloud security?
Why do I need cloud security?
Why cloud security matters
The cloud security and traditional cybersecurity difference
Why is cloud security important?
How does cloud security work?
Types of cloud security
Cloud security best practices
Cloud-native application protection platforms (CNAPP)
Vu
Tenable
Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations
blogs_tenable·2024-10-08
Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations
## Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations
## 38% of organizations have cloud environments with a “toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged workloads
October 8, 2024
·
Columbia, MD
Tenable® , the exposure management company, today released its 2024 Tenable Cloud Risk Report , which examines the critical risks at play in modern cloud environments. Most alarmingly, nearly four in 10 organizations globally are leaving themselves exposed at the highest levels due to the “toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged cloud workloads. Each of these misalignments alone introduces risk to cloud data, but the combination of all three drastically elevat
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Bleepingcomputer
Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
blogs_bleepingcomputer·2024-02-13·CVSS 7.6
[HIGH] Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
## Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
## Lawrence Abrams
16 Elevation of Privilege Vulnerabilities
3 Security Feature Bypass Vulnerabilities
30 Remote Code Execution Vulnerabilities
5 Information Disclosure Vulnerabilities
9 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
The total count of 73 flaws does not include 6 Microsoft Edge flaws fixed on February 8th and 1 Mariner flaw.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034765 cumulative update and the Windows 10 KB5034763 update .
## Two zero-days fixed
This month's Patch Tuesday fixes two actively exploited zero-day vulnerabilities, which Microsoft classifies as a flaw that is publicly disclosed or ac
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Bleepingcomputer
Leaky Vessels flaws allow hackers to escape Docker, runc containers
blogs_bleepingcomputer·2024-02-04·CVSS 8.6
[HIGH] Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Bill Toulas
## Escaping containers
Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system.
Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers.
Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perfo
Huntress
CVE-2024-21626 Vulnerability: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 8.6
CVE-2024-21626 [HIGH] CVE-2024-21626 Vulnerability: Analysis, Detection, Removal | Huntress
## CVE-2024-21626 Vulnerability
Published: 12/05/2025
Written by: Lizzie Danieslon
## What is CVE-2024-21626 Vulnerability?
CVE-2024-21626 is categorized as a Remote Code Execution (RCE) vulnerability caused by improper input validation in specific components of the affected software. Attackers can exploit this flaw by sending specially crafted packets that trigger the execution of unauthorized code. According to reports, it primarily impacts middleware used in server environments, and its severity score (CVSS) is marked as 9.8 critical.
## When was it discovered?
CVE-2024-21626 was publicly disclosed on February 6, 2024, following responsible reporting by cybersecurity researcher Alex Kim from CyberLabs . The vendor issued its advisory the same day, outlining the flaw and providing
arXiv
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
arxiv_fulltext·2026-03
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Akhil Gupta Chigullapally^1, Sharvan Vittala^1, Razin Farhan Hussian^2, Mohsen Amini Salehi^3
^1Department of Computer Science and Engineering, University of North Texas (UNT)
\akhilguptachigullapally, [email protected]\@my.unt.edu
^2Versaterm Public Safety Inc., Canada
[email protected]
^3High Performance Cloud Computing (HPCC) Lab, Department of Computer Science and Engineering, University of North Texas (UNT)
[email protected]
## Abstract
The fast pace of modern AI is rapidly transforming traditional industrial systems into vast,
intelligent—and potentially unmanned—autonomous operational environments driven by AI-based solutions. These solutions leverage various forms of machine lea
arXiv
Cross-Service Token: Finding Attacks in 5G Core Networks
arxiv_fulltext·2025-09-10
Cross-Service Token: Finding Attacks in 5G Core Networks
Cross-Service Token: Finding Attacks in 5G Core Networks
Anqi Chen*
Northeastern University
[email protected]
Riccardo Preatoni*
University of Padova
[email protected]
Alessandro Brighente
University of Padova
[email protected]
Mauro Conti
University of Padua & Örebro University
[email protected]
Cristina Nita-Rotaru
Northeastern University
[email protected]
*Equal contribution.
\@IEEEpubidpullup6.5
Network and Distributed System Security (NDSS) Symposium 2026
23 - 27 February 2026 , San Diego, CA, USA
ISBN 979-8-9919276-8-0
https://dx.doi.org/10.14722/ndss.2026.[23|24]xxxx
www.ndss-symposium.org
[ ]
## Abstract
5G marks a major departure from previous cellular architectures, by transitioning from a monolithic design of th
arXiv
CAShift: Benchmarking Log-Based Cloud Attack Detection under Normality Shift
arxiv_fulltext·2025-04-29
CAShift: Benchmarking Log-Based Cloud Attack Detection under Normality Shift
CAShift: Benchmarking Log-Based Cloud Attack Detection under Normality Shift
Jiongchi Yu
0000-0002-2888-4499
Singapore Management University
Singapore
Singapore
[email protected]
Xiaofei Xie
0000-0002-1288-6502
Singapore Management University
Singapore
Singapore
[email protected]
Qiang Hu
Corresponding Author.
0000-0002-8251-1669
Tianjin University
Tianjin
China
[email protected]
Bowen Zhang
0009-0009-7513-2319
Singapore Management University
Singapore
Singapore
[email protected]
Ziming Zhao
0000-0003-1455-4330
Zhejiang University
Hangzhou
China
[email protected]
Yun Lin
0000-0001-8255-0118
Shanghai Jiao Tong University
Shanghai
China
[email protected]
Lei Ma
0000-0002-8621-2420
University of Tokyo
Tokyo
Japan
University of Alberta
Alberta
Canada
ma.le
arXiv
Goldilocks Isolation: High Performance VMs with Edera
arxiv_fulltext·2025-01-08
Goldilocks Isolation: High Performance VMs with Edera
## Abstract
Organizations run applications on cloud infrastructure shared between multiple users and organizations.
Popular tooling for this shared infrastructure, including Docker and Kubernetes, supports such multi-tenancy through the use of operating system virtualization.
With operating system virtualization (known as containerization), multiple applications share the same kernel, reducing the runtime overhead.
However, this shared kernel presents a large attack surface and has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization to access other applications or the operating system itself.
To address this, some systems have proposed a return to hypervisor virtualization for stronger isolat
arXiv
Analysis of Security in OS-Level Virtualization
arxiv_fulltext·2025-01-02
Analysis of Security in OS-Level Virtualization
Analysis of Security in OS-Level Virtualization
Krishna Sai Ketha1, Guanqun Song1, Ting Zhu1
1Department of Computer Science and Engineering, The Ohio State University, Columbus, USA
Email: [email protected], [email protected], [email protected]
## Abstract
Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves benefic
arXiv
LLM Agents can Autonomously Exploit One-day Vulnerabilities
arxiv_fulltext·2024-04-17
LLM Agents can Autonomously Exploit One-day Vulnerabilities
## Abstract
LLMs have becoming increasingly powerful, both in their benign and malicious
uses. With the increase in capabilities, researchers have been increasingly
interested in their ability to exploit cybersecurity vulnerabilities. In
particular, recent work has conducted preliminary studies on the ability of LLM
agents to autonomously hack websites. However, these studies are limited to
simple vulnerabilities.
In this work, we show that LLM agents can autonomously exploit one-day
vulnerabilities in real-world systems. To show this, we collected a
dataset of 15 one-day vulnerabilities that include ones categorized as critical
severity in the CVE description. When given the CVE description, GPT-4 is
capable of exploiting 87% of these vulnerabilities compared to 0% for every
other model
http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.htmlhttp://www.openwall.com/lists/oss-security/2024/02/01/1http://www.openwall.com/lists/oss-security/2024/02/02/3https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecfhttps://github.com/opencontainers/runc/releases/tag/v1.1.12https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvvhttps://lists.debian.org/debian-lts-announce/2024/02/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/https://lists.fedoraproject.org/archives/list/[email protected]/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.htmlhttp://www.openwall.com/lists/oss-security/2024/02/01/1http://www.openwall.com/lists/oss-security/2024/02/02/3https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecfhttps://github.com/opencontainers/runc/releases/tag/v1.1.12https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvvhttps://lists.debian.org/debian-lts-announce/2024/02/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/https://lists.fedoraproject.org/archives/list/[email protected]/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626https://access.redhat.com/errata/RHSA-2024:0645https://access.redhat.com/errata/RHSA-2024:0662https://access.redhat.com/errata/RHSA-2024:0666https://access.redhat.com/errata/RHSA-2024:0670https://access.redhat.com/errata/RHSA-2024:0684https://access.redhat.com/errata/RHSA-2024:0717https://access.redhat.com/errata/RHSA-2024:0748https://access.redhat.com/errata/RHSA-2024:0752https://access.redhat.com/errata/RHSA-2024:0755https://access.redhat.com/errata/RHSA-2024:0756https://access.redhat.com/errata/RHSA-2024:0757https://access.redhat.com/errata/RHSA-2024:0758https://access.redhat.com/errata/RHSA-2024:0759https://access.redhat.com/errata/RHSA-2024:0760https://access.redhat.com/errata/RHSA-2024:0764https://access.redhat.com/errata/RHSA-2024:10149https://access.redhat.com/errata/RHSA-2024:10520https://access.redhat.com/errata/RHSA-2024:10525https://access.redhat.com/errata/RHSA-2024:10841https://access.redhat.com/errata/RHSA-2024:1270https://access.redhat.com/errata/RHSA-2024:4597https://access.redhat.com/errata/RHSA-2025:0115https://access.redhat.com/errata/RHSA-2025:0650https://access.redhat.com/errata/RHSA-2025:1711https://access.redhat.com/errata/RHSA-2025:2441https://access.redhat.com/errata/RHSA-2025:2701https://access.redhat.com/errata/RHSA-2025:2710https://access.redhat.com/security/cve/CVE-2024-21626https://bugzilla.redhat.com/show_bug.cgi?id=2258725https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-21626.json
2024-01-31
Published
Exploited in the wild