cbcvebase.

Opencontainers Runc vulnerabilities

7 known vulnerabilities affecting opencontainers/runc.

Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
HIGH4MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2024-21626P1HIGHCVSS 8.6ExploitedPoCv>=v1.0.0-rc93, < 1.1.122024-01-31
CVE-2024-21626 [HIGH] CWE-403 CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access
nvd
CVE-2025-31133P3HIGHCVSS 7.8v>= 1.0.0-rc3, < 1.2.8v>= 1.3.0-rc.1, < 1.3.3+1 more2025-11-06
CVE-2025-31133 [HIGH] CWE-61 CVE-2025-31133: runc is a CLI tool for spawning and running containers according to the OCI specification. In versio runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container
nvd
CVE-2023-28642P3HIGHCVSS 7.8fixed in 1.1.52023-03-29
CVE-2023-28642 [HIGH] CWE-281 CVE-2023-28642: runc is a CLI tool for spawning and running containers according to the OCI specification. It was fo runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgra
nvd
CVE-2019-19921P4HIGHCVSS 7.0≤ 1.2.7, < 1.2.82020-02-12
CVE-2019-19921 [HIGH] CWE-706 CVE-2019-19921: runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that hap
nvd
CVE-2021-43784P4MEDIUMCVSS 5.0fixed in 1.0.32021-12-06
CVE-2021-43784 [MEDIUM] CWE-190 CVE-2021-43784: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the enco
nvd
CVE-2023-25809P4MEDIUMCVSS 6.3fixed in 1.1.52023-03-29
CVE-2023-25809 [MEDIUM] CWE-281 CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification. In affect runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|
nvd
CVE-2024-45310P4LOWCVSS 3.6fixed in 1.1.14v>= 1.2.0-rc-1, < 1.2.0-rc.32024-09-03
CVE-2024-45310 [LOW] CWE-61 CVE-2024-45310: runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1. runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could b
nvd
Opencontainers Runc vulnerabilities | cvebase