Leaky Vessels: Escaping the Container Ship with CVE-2024-21626
Jan 1, 2026·11 min read·5 visits
Executive Summary (TL;DR)
A flaw in runc's `WORKDIR` handling allows a malicious container to escape its sandbox. By racing runc's initialization process, the container can trick it into opening a file handle to the host's filesystem. This provides a direct path to host access, leading to a full container escape and RCE on the node.
CVE-2024-21626 is a critical vulnerability in runc, the low-level container runtime underpinning Docker, Kubernetes, and other major containerization platforms. The flaw stems from a race condition and file descriptor leak when processing the `WORKDIR` instruction for a new container or when using `runc exec`. A malicious actor can craft a container image that tricks runc into retaining a handle to the host filesystem, allowing the container to break out of its isolation and achieve full remote code execution on the underlying host machine, completely shattering the security boundary of containerization.
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
runc Open Container Initiative | < 1.1.12 | 1.1.12 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Attack Vector | Local (Attacker must be able to run a malicious container on the host) |
| CVSS Score | 8.6 (High) |
| CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Impact | Container Escape, Host RCE |
| Exploit Status | Active Exploitation / Public PoC |
| KEV Status | Listed in CISA KEV Catalog |
| EPSS Score | 90.25% (0.90252) |