CVE-2024-23652
published 2024-01-31CVE-2024-23652: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or…
PriorityP353critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
2.04%
78.7th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | moby_buildkit | >= 0 < 0.12.5 | 0.12.5 |
| moby | buildkit | < 0.12.5 | 0.12.5 |
| mobyproject | buildkit | < 0.12.5 | 0.12.5 |
| msrc | azl3_moby-engine_20.10.25-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-engine_25.0.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_moby-engine_20.10.27-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | prisma_cloud | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv9.1CRITICAL
vendor_redhat10.0CRITICAL
vendor_msrc9.1CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
docker.io vulnerabilities
osv·2025-05-01·CVSS 8.7
CVE-2023-28840 [HIGH] docker.io vulnerabilities
docker.io vulnerabilities
Cory Snider discovered that Docker incorrectly handled networking packet
encapsulation. An attacker could use this issue to inject internet
packets in established connection, possibly causing a denial of service or
bypassing firewall protections. This issue only affected Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-28840, CVE-2023-28841,
CVE-2023-28842)
Rory McNamara discovered that Docker incorrectly handled cache in the
BuildKit toolkit. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-23651)
It was discovered that Docker incorrectly handled parallel operations in
some circumstances, which could possibly lead to undefined behavior.
(CVE-2024-36621, CVE-2024-36623)
Rory McNamara discovered that Docker
OSV
Host system modification in github.com/moby/buildkit
osv·2024-02-12
CVE-2024-23652 Host system modification in github.com/moby/buildkit
Host system modification in github.com/moby/buildkit
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
GHSA
BuildKit vulnerable to possible host system access from mount stub cleaner
ghsa·2024-01-31
CVE-2024-23652 [CRITICAL] CWE-22 BuildKit vulnerable to possible host system access from mount stub cleaner
BuildKit vulnerable to possible host system access from mount stub cleaner
### Impact
A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
### Patches
The issue has been fixed in v0.12.5
### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature.
### References
OSV
CVE-2024-23652: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
osv·2024-01-31·CVSS 9.1
CVE-2024-23652 [CRITICAL] CVE-2024-23652: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
OSV
BuildKit vulnerable to possible host system access from mount stub cleaner
osv·2024-01-31
CVE-2024-23652 [CRITICAL] BuildKit vulnerable to possible host system access from mount stub cleaner
BuildKit vulnerable to possible host system access from mount stub cleaner
### Impact
A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
### Patches
The issue has been fixed in v0.12.5
### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature.
### References
Ubuntu
Docker vulnerabilities
vendor_ubuntu·2025-05-01·CVSS 7.5
CVE-2023-28840 [HIGH] Docker vulnerabilities
Title: Docker vulnerabilities
Summary: Several security issues were fixed in Docker.
Cory Snider discovered that Docker incorrectly handled networking packet
encapsulation. An attacker could use this issue to inject internet
packets in established connection, possibly causing a denial of service or
bypassing firewall protections. This issue only affected Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-28840, CVE-2023-28841,
CVE-2023-28842)
Rory McNamara discovered that Docker incorrectly handled cache in the
BuildKit toolkit. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-23651)
It was discovered that Docker incorrectly handled parallel operations in
some circumstances, which could possibly lead to undefined behavior.
(CVE-2024-
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23652 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23653 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23651 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Red Hat
moby/buildkit: possible host system access from mount stub cleaner
vendor_redhat·2024-01-31·CVSS 10.0
CVE-2024-23652 [CRITICAL] CWE-22 moby/buildkit: possible host system access from mount stub cleaner
moby/buildkit: possible host system access from mount stub cleaner
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
A vulnerability was found in the Moby Builder Toolkit, which arose from BuildKit's attempts to clean up temporarily added directories after use. A malicious BuildKit frontend or Dockerfile using RUN --mount could deceive th
Microsoft
BuildKit possible host system access from mount stub cleaner
vendor_msrc·2024-01-09·CVSS 9.1
CVE-2024-23652 [CRITICAL] CWE-22 BuildKit possible host system access from mount stub cleaner
BuildKit possible host system access from mount stub cleaner
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: ht
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Bleepingcomputer
Leaky Vessels flaws allow hackers to escape Docker, runc containers
blogs_bleepingcomputer·2024-02-04·CVSS 8.6
[HIGH] Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Bill Toulas
## Escaping containers
Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system.
Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers.
Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perfo
Bugzilla
CVE-2024-23652 moby/buildkit: possible host system access from mount stub cleaner
bugzilla·2024-02-01·CVSS 9.1
CVE-2024-23652 [CRITICAL] CVE-2024-23652 moby/buildkit: possible host system access from mount stub cleaner
CVE-2024-23652 moby/buildkit: possible host system access from mount stub cleaner
Docker Buildkit <=v0.12.4, as used by the Docker engine. Exploitation of this issue can result in arbitrary file and directory deletion in the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM)
https://snyk.io/blog/cve-2024-23652-buildkit-build-time-container-teardown-arbitrary-delete/
https://github.com/moby/buildkit/pull/4603
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
https://github.com/moby/buildkit/pull/4603https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8https://github.com/moby/buildkit/pull/4603https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
2024-01-31
Published