Jan 1, 2026·11 min read·59 visits
A flaw in runc's `WORKDIR` handling allows a malicious container to escape its sandbox. By racing runc's initialization process, the container can trick it into opening a file handle to the host's filesystem. This provides a direct path to host access, leading to a full container escape and RCE on the node.
CVE-2024-21626 is a critical vulnerability in runc, the low-level container runtime underpinning Docker, Kubernetes, and other major containerization platforms. The flaw stems from a race condition and file descriptor leak when processing the `WORKDIR` instruction for a new container or when using `runc exec`. A malicious actor can craft a container image that tricks runc into retaining a handle to the host filesystem, allowing the container to break out of its isolation and achieve full remote code execution on the underlying host machine, completely shattering the security boundary of containerization.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
runc Open Container Initiative | < 1.1.12 | 1.1.12 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Attack Vector | Local (Attacker must be able to run a malicious container on the host) |
| CVSS Score | 8.6 (High) |
| CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Impact | Container Escape, Host RCE |
| Exploit Status | Active Exploitation / Public PoC |
| KEV Status | Listed in CISA KEV Catalog |
| EPSS Score | 90.25% (0.90252) |
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.