CVE-2024-21626
Container Escape vulnerability in runc (Go)

Container Escape Proof of concept Fixable By Resolved Security

What is CVE-2024-21626 About?

This vulnerability is a Container Escape in runc, caused by an internal file descriptor leak and improper verification of working directories. It allows attackers to gain access to the host filesystem or overwrite host binaries, leading to complete system control. Exploitation can be achieved with modest user interaction and varying complexity.

Affected Software

github.com/opencontainers/runc >1.0.0-rc93, <1.1.12

Technical Details

The vulnerability stems from an internal file descriptor leak within runc versions 1.1.11 and earlier, specifically a handle to the host's /sys/fs/cgroup leaked into runc init. Attack 1 leverages this by setting process.cwd to a path like /proc/self/fd/7/ (where 7 is the leaked FD), causing the container's PID 1 process to have a working directory in the host filesystem namespace, thus allowing host filesystem access. A malicious image can create a symlink to /proc/self/fd/7/ to trick users. This is exacerbated by runc not verifying that the final working directory is within the container's mount namespace after chdir(2). Attack 2 extends this to runc exec, where a malicious in-container process can symlink a target path to /proc/self/fd/7/ if runc exec is called with --cwd. Attacks 3a and 3b are modifications that use paths like /proc/self/fd/7/../../../bin/bash as the process.args binary argument to execute a host binary within the container context. The /proc/$pid/exe handle is then used to overwrite the host binary, leading to a complete container escape and host compromise. The attacker can then use the overwritten host binary (e.g., /bin/bash) to gain full control upon its execution by a privileged host user.

What is the Impact of CVE-2024-21626?

Successful exploitation may allow attackers to gain unauthorized access to the host filesystem, execute arbitrary code on the host, or achieve a complete container escape and compromise the host system.

What is the Exploitability of CVE-2024-21626?

Exploitation varies in complexity depending on the attack vector. For Attack 1 and 3a, it requires a user to be tricked into running a malicious container image, which implies user interaction. For Attack 2 and 3b, exploitation requires a malicious process inside the container to anticipate an administrative runc exec with a specific --cwd argument, allowing a path substitution with a symlink. Privilege requirements range from no privileges (for running a malicious image) to low privileges (for a process within a container). These are local vulnerabilities, as they involve breaking out of a container to the host or using runc exec within a container environment. Risk factors include the use of untrusted container images or frequent use of runc exec with a --cwd argument pointing to modifiable paths.

What are the Known Public Exploits?

PoC Author Link Commentary
NitroCao Link PoC and Detection for CVE-2024-21626
Wall1e Link PoC for CVE-2024-21626
V0WKeep3r Link PoC for CVE-2024-21626

What are the Available Fixes for CVE-2024-21626?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

None

Available Upgrade Options

  • github.com/opencontainers/runc
    • >1.0.0-rc93, <1.1.12 → Upgrade to 1.1.12

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-21626?

Similar Vulnerabilities: CVE-2019-5736 , CVE-2021-30465 , CVE-2022-26134 , CVE-2022-0492 , CVE-2021-38189

All Rights reserved 2025
Privacy Policy