CVE-2023-28642

The Path of Least Resistance: Bypassing AppArmor in runc via /proc Symlinks

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·6 min read·1 visit

Executive Summary (TL;DR)

runc < 1.1.5 allows container images to replace the `/proc` directory with a symbolic link. This confuses path-based security modules like AppArmor, causing them to fail to apply or enforce profiles correctly. An attacker can use this to bypass confinement and access sensitive host resources.

A vulnerability in runc allowing attackers to bypass AppArmor and SELinux profiles by crafting container images with a symlinked /proc directory, effectively blinding the host's security controls.

Official Patches

GitHub (runc)Official runc 1.1.5 release notes

Fix Analysis (1)

Technical Appendix

CVSS Score
6.1/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Probability
0.01%
Top 100% most exploited

Affected Systems

runc < 1.1.5Docker (dependent on bundled runc version)Kubernetes (dependent on node container runtime)Containerd (uses runc as default runtime)

Affected Versions Detail

Product
Affected Versions
Fixed Version
runc
Open Container Initiative
< 1.1.51.1.5
AttributeDetail
CWE IDCWE-281
Attack VectorLocal (Image-based)
CVSS6.1 (Medium)
Privileges RequiredNone (User Interaction)
User InteractionRequired (Victim must run image)
ImpactSecurity Bypass (AppArmor/SELinux)

MITRE ATT&CK Mapping

T1611Escape to Host
Privilege Escalation
T1548Abuse Elevation Control Mechanism
Privilege Escalation
CWE-281
Improper Preservation of Permissions

Improper Preservation of Permissions

Known Exploits & Detection

ctrsploitContainer exploitation framework containing logic for mount/symlink bypasses

Vulnerability Timeline

Patch Merged (PR #3785)
2023-03-29
runc 1.1.5 Released
2023-03-29
CVE Published
2023-03-29