CVE-2024-23651
published 2024-01-31CVE-2024-23651: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in…
PriorityP344high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.79%
51.7th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | moby_buildkit | >= 0 < 0.12.5 | 0.12.5 |
| moby | buildkit | < 0.12.5 | 0.12.5 |
| mobyproject | buildkit | < 0.12.5 | 0.12.5 |
| msrc | azl3_moby-engine_20.10.25-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-engine_25.0.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_moby-engine_20.10.27-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | prisma_cloud | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
osv8.7HIGH
vendor_redhat8.7HIGH
vendor_ubuntu7.5HIGH
vendor_msrc7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Docker vulnerabilities
vendor_ubuntu·2025-05-01·CVSS 7.5
CVE-2023-28840 [HIGH] Docker vulnerabilities
Title: Docker vulnerabilities
Summary: Several security issues were fixed in Docker.
Cory Snider discovered that Docker incorrectly handled networking packet
encapsulation. An attacker could use this issue to inject internet
packets in established connection, possibly causing a denial of service or
bypassing firewall protections. This issue only affected Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-28840, CVE-2023-28841,
CVE-2023-28842)
Rory McNamara discovered that Docker incorrectly handled cache in the
BuildKit toolkit. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-23651)
It was discovered that Docker incorrectly handled parallel operations in
some circumstances, which could possibly lead to undefined behavior.
(CVE-2024-
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23652 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23653 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23651 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Red Hat
moby/buildkit: possible race condition with accessing subpaths from cache mounts
vendor_redhat·2024-01-31·CVSS 8.7
CVE-2024-23651 [HIGH] CWE-362 moby/buildkit: possible race condition with accessing subpaths from cache mounts
moby/buildkit: possible race condition with accessing subpaths from cache mounts
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
A race condition issue was found in the Moby Builder Toolkit, stemming from a time-of-check/time-of-use (TOCTOU) vulnerability during cache volume mounting at container build
Microsoft
BuildKit possible race condition with accessing subpaths from cache mounts
vendor_msrc·2024-01-09·CVSS 7.4
CVE-2024-23651 [HIGH] CWE-362 BuildKit possible race condition with accessing subpaths from cache mounts
BuildKit possible race condition with accessing subpaths from cache mounts
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
OSV
docker.io vulnerabilities
osv·2025-05-01·CVSS 8.7
CVE-2023-28840 [HIGH] docker.io vulnerabilities
docker.io vulnerabilities
Cory Snider discovered that Docker incorrectly handled networking packet
encapsulation. An attacker could use this issue to inject internet
packets in established connection, possibly causing a denial of service or
bypassing firewall protections. This issue only affected Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-28840, CVE-2023-28841,
CVE-2023-28842)
Rory McNamara discovered that Docker incorrectly handled cache in the
BuildKit toolkit. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-23651)
It was discovered that Docker incorrectly handled parallel operations in
some circumstances, which could possibly lead to undefined behavior.
(CVE-2024-36621, CVE-2024-36623)
Rory McNamara discovered that Docker
OSV
Host system file access in github.com/moby/buildkit
osv·2024-02-13
CVE-2024-23651 Host system file access in github.com/moby/buildkit
Host system file access in github.com/moby/buildkit
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
GHSA
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
ghsa·2024-01-31
CVE-2024-23651 [HIGH] CWE-362 BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
### Impact
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
### Patches
The issue has been fixed in v0.12.5
### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options.
### References
https://www.openwall.com/lists/oss-security/2019/05/28/1
OSV
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
osv·2024-01-31
CVE-2024-23651 [HIGH] BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
### Impact
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
### Patches
The issue has been fixed in v0.12.5
### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options.
### References
https://www.openwall.com/lists/oss-security/2019/05/28/1
OSV
CVE-2024-23651: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
osv·2024-01-31·CVSS 7.4
CVE-2024-23651 [HIGH] CVE-2024-23651: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Bleepingcomputer
Leaky Vessels flaws allow hackers to escape Docker, runc containers
blogs_bleepingcomputer·2024-02-04·CVSS 8.6
[HIGH] Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Bill Toulas
## Escaping containers
Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system.
Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers.
Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perfo
Bugzilla
CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths from cache mounts
bugzilla·2024-02-01·CVSS 7.4
CVE-2024-23651 [HIGH] CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths from cache mounts
CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths from cache mounts
Docker Buildkit <=v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e. when using FROM)
https://snyk.io/blog/cve-2024-23651-docker-buildkit-mount-cache-race/
https://www.openwall.com/lists/oss-security/2019/05/28/1
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
https://github.com/moby/buildkit/pull/4604
https://github.com/moby/buildkit/pull/4604https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxvhttps://github.com/moby/buildkit/pull/4604https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
2024-01-31
Published