CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2019-5736

Breaking Out of the Box: The Runc Overwrite (CVE-2019-5736)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·6 min read·48 visits

Executive Summary (TL;DR)

Containers aren't real. They are just processes lying to the kernel. CVE-2019-5736 exploits this lie by tricking the host's container runtime (`runc`) into exposing its own binary file descriptor to the container it is managing. An attacker can overwrite the `runc` binary on the host with a malicious payload, achieving root execution on the host system the next time `runc` is used.

A fundamental design flaw in how `runc` handles file descriptors allows a malicious container to overwrite the host `runc` binary, resulting in complete host compromise upon subsequent execution.

Official Patches

DockerDocker Engine 18.09.2 Release Notes
OpenContainersOfficial fix commit in runc

Fix Analysis (1)

Technical Appendix

CVSS Score
8.6/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Probability
55.56%
Top 99% most exploited

Affected Systems

Docker (versions prior to 18.09.2)Kubernetes (nodes using affected container runtimes)containerd (prior to patched versions)CRI-O (prior to patched versions)runc (<= 1.0-rc6)

Affected Versions Detail

Product
Affected Versions
Fixed Version
runc
OpenContainers
<= 1.0-rc61.0-rc7
Docker
Docker Inc.
< 18.09.218.09.2
AttributeDetail
CWE IDCWE-269
Attack VectorLocal (requires container execution)
CVSS8.6 (High)
EPSS Score55.56%
ImpactContainer Escape / Host Root Compromise
Exploit StatusWeaponized / PoC Available

MITRE ATT&CK Mapping

T1611Escape to Host
Privilege Escalation
T1543Create or Modify System Process
Persistence
T1574Hijack Execution Flow
Persistence
CWE-269
Improper Privilege Management

Improper Privilege Management

Known Exploits & Detection

GitHubGo-based implementation of the container escape
ExploitDBPoC for runc container escape

Vulnerability Timeline

Vulnerability discovered by Adam Iwaniuk and Borys Popławski
2019-01-01
CVE-2019-5736 Assigned and Patch Released
2019-02-11
Public Proof of Concepts released
2019-02-13

References & Sources

  • [1]Unit42 Analysis of CVE-2019-5736
  • [2]Dragonfly Research: Runc Escape
Related Vulnerabilities
CVE-2024-21626CVE-2016-9962

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 24 hours ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
10 views•6 min read
•1 day ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
20 views•8 min read
•1 day ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•2 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
9 views•6 min read
•6 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•6 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read