cbcvebase.
CVE-2024-21626
published 2024-01-31

CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file…

PriorityP182high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.09%
96.8th percentile
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianrunc< runc 1.1.5+ds1-1+deb12u1 (bookworm)runc 1.1.5+ds1-1+deb12u1 (bookworm)
fedoraprojectfedora
github.comopencontainers_runc>= 1.0.0-rc93 < 1.1.121.1.12
github.comsiderolabs_talos>= 0 < 1.5.61.5.6
github.comsiderolabs_talos>= 1.6.0 < 1.6.41.6.4
googlechrome_chrome
linuxfoundationrunc< 1.1.121.1.12
linuxfoundationrunc>= 0 < 1.0.0~rc93+ds1-5+deb11u31.0.0~rc93+ds1-5+deb11u3
linuxfoundationrunc>= 0 < 1.1.5+ds1-1+deb12u11.1.5+ds1-1+deb12u1
linuxfoundationrunc>= 0 < 1.1.12+ds1-11.1.12+ds1-1
linuxfoundationrunc>= 0 < 1.1.12+ds1-11.1.12+ds1-1
msrcazure_kubernetes_service
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
opencontainersrunc
paloaltocortex_xsoar
paloaltoprisma_cloud

Detection & IOCsextracted from sources · hover to see the quote

path/proc/self/fd/[fd]
commandFROM ubuntu WORKDIR /proc/self/fd/[9]
commandRUN cd ../../../../../ && cat etc/shadow
  • Detect malicious Dockerfile or container image using WORKDIR set to a procfs path such as /proc/self/fd/<fd_number>, which is the primary exploit primitive for CVE-2024-21626.
  • Monitor for container processes whose working directory resolves to a path inside the host filesystem namespace (e.g., /proc/self/fd pointing outside the container rootfs), indicating a successful container escape via the internal file descriptor leak.
  • Alert on runc exec invocations where the spawned container process working directory traverses up from /proc/self/fd to reach host filesystem paths (e.g., ../../../../etc/shadow).
  • Flag any container image or Dockerfile specifying a WORKDIR value referencing /proc/self/fd/ as this is the attack vector for both 'attack 1' (runc run) and 'attack 2' (runc exec) variants.
  • Identify vulnerable runc versions 1.1.11 and earlier; patch to runc 1.1.12 or higher. Also check Docker versions below 25.0.2 / 4.27.1 and BuildKit below 0.12.5.
  • Use runtime sensors to detect live exploitation attempts: watch for container processes accessing /sys/fs/cgroup or /proc/self/fd paths that resolve to host filesystem locations.
  • Monitor for semi-arbitrary host binary overwrites as an indicator of 'attack 3a' and 'attack 3b' variants, which can lead to complete container escape.
  • ·The vulnerability is exploitable without public network exposure; it requires attacker control over the container image, Dockerfile/BuildKit frontend, or runc exec command-line arguments — not arbitrary code execution in a running container.
  • ·The vulnerability also affects higher-level runtimes such as Docker and Kubernetes when running specially crafted images or specifying malicious workdir options; it is not limited to direct runc usage.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
ghsa8.6HIGH
osv8.6HIGH
vulncheck8.6HIGH
vendor_debian8.6HIGH
vendor_msrc8.6HIGH
vendor_oracle8.6HIGH
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.