CVE-2019-5736
8.655.56%
Breaking Out of the Box: The Runc Overwrite (CVE-2019-5736)
Amit Schendel
Senior Security ResearcherJan 1, 2026·6 min read·18 visits
Weaponized
Executive Summary (TL;DR)
Containers aren't real. They are just processes lying to the kernel. CVE-2019-5736 exploits this lie by tricking the host's container runtime (`runc`) into exposing its own binary file descriptor to the container it is managing. An attacker can overwrite the `runc` binary on the host with a malicious payload, achieving root execution on the host system the next time `runc` is used.
A fundamental design flaw in how `runc` handles file descriptors allows a malicious container to overwrite the host `runc` binary, resulting in complete host compromise upon subsequent execution.
Fix Analysis (1)
Technical Appendix
CVSS Score
8.6/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HEPSS Probability
55.56%
Top 99% most exploited
Affected Systems
Docker (versions prior to 18.09.2)Kubernetes (nodes using affected container runtimes)containerd (prior to patched versions)CRI-O (prior to patched versions)runc (<= 1.0-rc6)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
runc OpenContainers | <= 1.0-rc6 | 1.0-rc7 |
Docker Docker Inc. | < 18.09.2 | 18.09.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-269 |
| Attack Vector | Local (requires container execution) |
| CVSS | 8.6 (High) |
| EPSS Score | 55.56% |
| Impact | Container Escape / Host Root Compromise |
| Exploit Status | Weaponized / PoC Available |
MITRE ATT&CK Mapping
CWE-269
Improper Privilege Management
Improper Privilege Management
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered by Adam Iwaniuk and Borys Popławski
2019-01-01
CVE-2019-5736 Assigned and Patch Released
2019-02-11
Public Proof of Concepts released
2019-02-13