Don't let your containers escape! Update runc & Docker Now!

Critical runc Vulnerabilities: What You Need to Know

‍

TL;DR: Update runc and related software (like Docker) to the latest version to fix multiple container escape vulnerabilities.

The security research team at Snyk recently disclosed critical vulnerabilities in runc versions ≤ 1.1.11 that allow container escapes. These vulnerabilities can let a malicious container break out of its isolation and access the host operating system, severely compromising security.

Attackers can exploit these issues by:

• Running a malicious container image
• Using a Dockerfile containing dangerous instructions

The threat is particularly concerning for CI/CD pipelines and Docker Desktop environments, which often rely on popular open-source images that may be tampered with.

‍

‍

Key Vulnerability: CVE-2024-21626

‍

This CVE describes a full container breakout scenario. Exploitation could lead to:

• Unauthorized host filesystem access
• Tampering with the build cache
• Complete escape from container runtime boundaries

Exploitation requires user interaction, such as building or running an image with the malicious content.

‍

‍

How to Mitigate the Risk

‍

Update your software:

• runc: Upgrade to the latest version immediately.
• Docker: Make sure you're running v25.0.2 or later.
  Docker release notes

‍

‍

Detection Tools

‍

Detecting exploitation attempts is difficult due to limited runtime visibility in most container environments.

However, Snyk has released a runtime detection tool:
🔍 leaky-vessels-dynamic-detector

It helps detect:

• CVE-2024-21626
• CVE-2024-23651
• CVE-2024-23652
• CVE-2024-23653

We haven’t validated the tool yet, but it shows promise.

‍

‍

Why Container Escapes Matter

‍

While rare, container escape vulnerabilities are high-impact threats. They undermine one of the core assumptions of container security: isolation. If an attacker breaks out, the entire host system could be compromised.

Threat modeling for containerized environments should always include the risk of container breakout—especially when running untrusted workloads or public images.

‍

‍

Need Help?

‍

If you're unsure about how exposed your infrastructure might be, or you want to assess your container ecosystem as a whole, reach out to Cloud Security Partners for a consultation.

John Poulin is the CTO of Cloud Security Partners. With over 10 years of experience in application security and software development, John has worked with both Fortune 500 companies and startups on secure code reviews, architecture analysis, and threat modeling.