CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2024-21626
8.690.25%

Leaky Vessels: Escaping the Container Ship with CVE-2024-21626

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·11 min read·6 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

A flaw in runc's `WORKDIR` handling allows a malicious container to escape its sandbox. By racing runc's initialization process, the container can trick it into opening a file handle to the host's filesystem. This provides a direct path to host access, leading to a full container escape and RCE on the node.

CVE-2024-21626 is a critical vulnerability in runc, the low-level container runtime underpinning Docker, Kubernetes, and other major containerization platforms. The flaw stems from a race condition and file descriptor leak when processing the `WORKDIR` instruction for a new container or when using `runc exec`. A malicious actor can craft a container image that tricks runc into retaining a handle to the host filesystem, allowing the container to break out of its isolation and achieve full remote code execution on the underlying host machine, completely shattering the security boundary of containerization.

Technical Appendix

CVSS Score
8.6/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
90.25%
Top 10% most exploited

Affected Systems

runcDocker EnginecontainerdPodmanCRI-OKubernetes clusters relying on vulnerable runtimes

Affected Versions Detail

Product
Affected Versions
Fixed Version
runc
Open Container Initiative
< 1.1.121.1.12
AttributeDetail
CWE IDCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Attack VectorLocal (Attacker must be able to run a malicious container on the host)
CVSS Score8.6 (High)
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ImpactContainer Escape, Host RCE
Exploit StatusActive Exploitation / Public PoC
KEV StatusListed in CISA KEV Catalog
EPSS Score90.25% (0.90252)

MITRE ATT&CK Mapping

T1611Escape to Host
Privilege Escalation
T1611Escape to Host
Lateral Movement
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Known Exploits & Detection

GitHubOfficial GitHub Security Advisory for runc.
Snyk BlogDetailed technical writeup on the 'Leaky Vessels' vulnerabilities, including CVE-2024-21626.

Vulnerability Timeline

Public disclosure of the vulnerability.
2024-01-31
Patched version of runc (1.1.12) released.
2024-01-31
Major container vendors begin releasing patched versions of their software.
2024-02-01
CVE-2024-21626 added to the CISA KEV catalog.
2024-02-15

References & Sources

  • [1]NVD Entry for CVE-2024-21626
  • [2]GitHub Advisory: runc process.cwd breakout
  • [3]CISA KEV Catalog
  • [4]Red Hat CVE Database Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.