CVE-2023-28642
6.10.01%
The Path of Least Resistance: Bypassing AppArmor in runc via /proc Symlinks
Amit Schendel
Senior Security ResearcherJan 1, 2026·6 min read·1 visit
PoC Available
Executive Summary (TL;DR)
runc < 1.1.5 allows container images to replace the `/proc` directory with a symbolic link. This confuses path-based security modules like AppArmor, causing them to fail to apply or enforce profiles correctly. An attacker can use this to bypass confinement and access sensitive host resources.
A vulnerability in runc allowing attackers to bypass AppArmor and SELinux profiles by crafting container images with a symlinked /proc directory, effectively blinding the host's security controls.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.1/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LEPSS Probability
0.01%
Top 100% most exploited
Affected Systems
runc < 1.1.5Docker (dependent on bundled runc version)Kubernetes (dependent on node container runtime)Containerd (uses runc as default runtime)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
runc Open Container Initiative | < 1.1.5 | 1.1.5 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-281 |
| Attack Vector | Local (Image-based) |
| CVSS | 6.1 (Medium) |
| Privileges Required | None (User Interaction) |
| User Interaction | Required (Victim must run image) |
| Impact | Security Bypass (AppArmor/SELinux) |
MITRE ATT&CK Mapping
CWE-281
Improper Preservation of Permissions
Improper Preservation of Permissions
Known Exploits & Detection
Vulnerability Timeline
Patch Merged (PR #3785)
2023-03-29
runc 1.1.5 Released
2023-03-29
CVE Published
2023-03-29